On 21 Sep 2012, at 3:25 PM, Jeff Trawick <[email protected]> wrote: >> 1: (why) do I need to specify the AuthName, Session, and authn >> provider params (e.g. DBD query) in both the location I am protecting >> and in the location that defines the form-login-handler?
You do, yes, because HTTP is stateless. The original hit to your original protected URL (request 1) triggered a redirect to your login page (request 2), which caused the end user to type a username and password and click submit (request 3). By the time request 3 has happened, the server has no idea request 1 has happened. Both request 1 and request 3 must be protected for the server to log you in. >> 2: I'd like to say that an entire logical tree is protected, and have >> a successful login redirect back to wherever the user tried to go in >> the first place. However, the doc seems to be telling me that I need >> to supply AuthFormLoginSuccessLocation with a specific URL in it. >> >> In other words, if I start out with >> >> <Location /protectedStuff/> >> AuthType form >> ... >> </Location> >> >> and then I set up >> >> <Location /dologin.html> >> SetHandler form-login-handler >> ... >> </Location> >> >> and the user navigates to /protectedStuff/banannas.html, I'd like a >> successful login to redirect to that location, whereas if they >> navigate to /protectedStuff/kumquats.html, ditto. In this case, you want inline login, described at http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html#inline Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
