On Mon, Jul 01, 2002 at 10:30:36AM +0100, Jean-Michel Hiver wrote:
> > > browser sent the credentials, or leave $ENV{REMOTE_USER} undef
> > > otherwise, without sending a 401 back.
> >
> > I didn't think a browser would send authentication unless the server
> > requested it for an authentication domain. How are you going to
> > get some people to send the credentials and some not unless you
> > use different URLs so the server knows when to request them?
>
> The idea is that on a "location" which requires authentication I'll
> redirect the user to a /login.html, or maybe a /?login=1 which will do
> the following:
Umm... Perhaps I don't understand the significance of the login.html. Under
HTTP auth, if a page is protected via .htaccess then auth is immediatly
requested, and no redirect is possible.
More important is the fact that if a page does not require authentication,
the users login and password will not be sent. So a page like index.html that
is not normally authenticated will not receive the username, and no
<a href="/admin">Admin this page</a> will be possible.
I'm not 100% sure this is possible without the use of cookies. I'm pretty sure
you could write some custom handler to handle the auth, but without a cookie
to note which users have authenticated, you might be out of luck.
Good luck,
Rob
