On 03 Dec 2013, at 1:27 PM, Thomas Eckert <[email protected]> wrote:
> I have been having problems with mod_auth_form on returning DENIED from my > custom auth provider. This provider has it's own module-local session cache, > where stuff like accessible paths, credentials and the like are stored to > avoid having to query an external (and expensive) authentication daemon. Once > such a session is accessed by the user browsing (e.g. with the corresponding > session cookie) I might need to invalidate the session (e.g. time out). After > failing the appropriate checks I would "return DENIED" but this had an > unpleasant drawback: If a user accessed the session by sending the filled-in > form (e.g. on a new device with no cookie) the code would still return DENIED > if the session was invalid for whatever reason. This resulted in the user > being shown the form again, even though the user just filled in the form > correctly. I'm not fully understanding the flow you're describing. Are you sure you're not accidentally password protecting / session protecting the login form? The login form needs to be accessible without any restrictions on authn/authz or session, otherwise httpd will deny access to the form too. Can you clarify the flow of requests during login that you are expecting? Regards, Graham --
