[ previous discussion snipped ] >httpd.conf or .htaccess (PerlModule hasta be in httpd.conf, >from my experience)-- > PerlAccessHandler My::Auth::access_handler > PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB" > PerlAuthenHandler My::Auth::authen_handler > AuthName realm > AuthType Basic > Require valid-user > > order deny,allow > deny from all > ############# > # add 'order/deny', and we're done (as far as i can tell) > ############# > Before any changes to the Guide solidify out of this, I'd like to know that we're not pushing bad information into it. - order, deny, allow are all handled by mod_access, which worries about hostname- and IP address-based restrictions. - AuthType Basic is handled right in the core Apache code, where it, along with digest, is special-cased for in http_request and elsewhere. You aren't really doing Basic auth with your module, are you? That is, you're not putting the Auth-Required headers into your responses (to cause the browser to prompt for credentials) if you don't see the Basic auth headers in the requests, right? I'm using Apache::AuthCookie, not doing this from scratch, so that clouds things a bit for me, but I've been looking at Apache's behaviour a lot. Here's my test config (for Apache::AuthCookie): <Location /some/where> AllowOverride None Options +ExecCGI SetHandler cgi-script AuthType Site::AuthCookieHandler AuthName Testing PerlAuthenHandler Site::AuthCookieHandler->authenticate PerlAuthzHandler Site::AuthCookieHandler->authorize require valid-user </Location> Notice that there are no order, allow, deny directives in sight, and this works as it should. If I truss apache while I hit this spot with a request, I see the results of the handlers being invoked, which in AuthCookie's case is a redirection to a login form. If I replace "AuthType Site::AuthCookieHandler" with "AuthType Basic", the handlers don't get invoked, and I instead see this error from apache: configuration error: couldn't check user. No user file?: /some/where This comes from http_request.c, which is responding to "AuthType Basic". It's giving an error because I haven't told it where to find a user file (AuthUserFile) or database (AuthDBMUserFile) to check requests against, but I've requested Basic auth. ...Steve -- Steve van der Burg Information Services London Health Sciences Centre (519) 685-8300 ext 35559 [EMAIL PROTECTED]