hmm, I guess this fell off the collective radar. any comments? otherwise, I guess it's good enough and I'll just commit it to both 2.0 and 2.1.
--Geoff Geoffrey Young wrote: > > [EMAIL PROTECTED] wrote: > >>pquerna 2004/07/10 00:47:23 >> >> Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS >> modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c >> Log: >> Backport of AuthDigestEnableQueryStringHack >> Needs a doc update to explain what it does. > > > something like the attached? corrections, tweaks, or other feedback welcome. > > --Geoff > > > > ------------------------------------------------------------------------ > > Index: mod_auth_digest.xml > =================================================================== > RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_digest.xml,v > retrieving revision 1.5.2.8 > diff -u -r1.5.2.8 mod_auth_digest.xml > --- mod_auth_digest.xml 17 Apr 2004 18:43:37 -0000 1.5.2.8 > +++ mod_auth_digest.xml 12 Jul 2004 14:16:11 -0000 > @@ -72,7 +72,9 @@ > browsers. As of November 2002, the major browsers that support digest > authentication are <a href="http://www.opera.com/";>Opera</a>, <a > href="http://www.microsoft.com/windows/ie/";>MS Internet > - Explorer</a> (fails when used with a query string), <a > + Explorer</a> (fails when used with a query string - see the > + <directive module="mod_auth_digest">AuthDigestEnableQueryStringHack > + </directive> option below for a workaround), <a > href="http://www.w3.org/Amaya/";>Amaya</a>, <a > href="http://www.mozilla.org";>Mozilla</a> and <a > href="http://channels.netscape.com/ns/browsers/download.jsp"; > @@ -81,6 +83,36 @@ > in controlled environments.</p> > </note> > </section> > + > +<section id="msie"><title>Working with MS Internet Explorer</title> > + <p>The Digest authentication implementation in current Internet > + Explorer implementations has known issues, namely that <code><GET</code> > + requests with a query string are not RFC compliant. There are a > + few ways to work around this issue.</p> > + > + <p> > + The first way is to use <code>POST</code> requests instead of > + <code>GET</code> requests to pass data to your program. This method > + is the simplest approach if your application can work with this > + limitation. > + </p> > + > + <p>Apache also provides a workaround in the > + <code>AuthDigestEnableQueryStringHack</code> environment variable. > + If <code>AuthDigestEnableQueryStringHack</code> is true for the > + request, Apache will take steps to work around the MSIE bug and > + remove the request URI from the digest comparison. Using this > + method would look like similar to the following.</p> > + > + <example><title>Using Digest Authentication with MSIE:</title> > + BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On > + </example> > + > + <p>See the <directive module="mod_setenvif">BrowserMatch</directive> > + directive for more details on conditionally setting environment > + variables</p> > +</section> > + > > <directivesynopsis> > <name>AuthDigestFile</name>
