Hi there,
I've been using the http auth adapter lately and noticed something
strange. I tried to use different realms for different areas of my site.
Once I authenticated for one realm, the browser would send this one as
soon as I entered another realm. And here it comes, it did authenticate
for the other realm. To be clear:
1. auth for /realm1
2. auth for /realm2
The second auth wouldn't even ask for a password, it just used the
browser supplied old realm and saved username and password, which then
authenticated just fine. Is that by design? I thought, if I requested a
specific realm for authentication, that one would be checked.
Looking at the code, Zend_Auth_Adapater_Http really takes the user
supplied realm and passes it to the resolver without checking the
actually requested realm. As I've implemented my own resolver, I added
the check there and it works.
So is this a bug or a feature?
Cheers Jan
PS: The different authentications have different auth storages, so they
are completely independant.
