On 21-Jun-00 at 17:59, J. J. Horner ([EMAIL PROTECTED]) wrote:
> In Netscape (and probably IE), if a handler returns AUTH_REQUIRED, the
> user can just hit 'Ok' on the password dialogue without typing in a
> password and the browser will resend the original information again.
> If the password in cache is still valid, it will
> reauthenticate without prompting the user again. This can't be
> cool. I've found that I have to make sure that the $sent_pw in
>
> my ($res, $sent_pw) = $r->get_basic_auth_pw;
>
> isn't null or 0.
>
> Also, IE doesn't always give a user the password dialog when given an
> AUTH_REQUIRED response. If IE sends a username/password because of an
> AUTH_REQUIRED response, and gets an AUTH_REQUIRED response in return, it
> will resend the information again, this makes it really difficult to deal
> with different browsers during the Authentication phase.
Are you calling $r->note_basic_auth_failure when you return AUTH_REQUIRED?
I see something even stranger on occassion. Sometimes, when I connect to a
pasword-protected area using the unqualified name of the server, the browser
just sends the request *without* asking for a username, repeatedly, until I hit
STOP. This never happens when using the fully qualified server name.
Something else about authen handlers confuses me: does $r->get_basic_auth_pw
call $r->note_basic_auth_failure when it returns AUTH_REQUIRED?
--
Peter Haworth [EMAIL PROTECTED]
"Please wait while I fill up a random disk partition to
test whether print returns the correct error code..."
-- Larry Wall in a hypothetical perl test suite
