FreeRadius users mailing list <[email protected]> on August 2, 2005 at 01:55 -0800 wrote: >Hi, > >> Was was pointed out, you'll get authentication dialogs for every gif >> & jpg on the page. This is a BAD idea. > >The gifs etc are located in an unprotected directory, surely this prevents >from having to re-authenticate for each?
In theory, yes. However, this has been nixed by most browsers, in that "mixed content" presents a security risk. Your IE users will see a message saying "This page contains both secure and non-secure items..." at least on first connect, the FF users may not even get that -- I don't recall what happens with mixed content in FF. >> > If I get a failed login, then try to login again it just uses cached >> > credentials and doesn't prompt for details, if I close and re-open the >> > browser it does then allow me to enter details. >> >> Then your browser is broken. > >Firefox and Opera are also broken in that case. :-( > >A bit of a dig around reveals this from the Apache site, which implies >that >all browsers cache the credentials. >http://httpd.apache.org/docs/howto/auth.html#basicfaq It sounds to me like the server isn't sending the correct error code for auth-failed, thus the browser thinks it's OK to use the old credentials. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
