On Mon, Jul 01, 2002 at 10:30:36AM +0100, Jean-Michel Hiver wrote:
> > > browser sent the credentials, or leave $ENV{REMOTE_USER} undef
> > > otherwise, without sending a 401 back.
> > 
> > I didn't think a browser would send authentication unless the server
> > requested it for an authentication domain.  How are you going to 
> > get some people to send the credentials and some not unless you
> > use different URLs so the server knows when to request them?
> 
> The idea is that on a "location" which requires authentication I'll
> redirect the user to a /login.html, or maybe a /?login=1 which will do
> the following:

Umm... Perhaps I don't understand the significance of the login.html.  Under
HTTP auth, if a page is protected via .htaccess then auth is immediatly 
requested, and no redirect is possible.

More important is the fact that if a page does not require authentication,
the users login and password will not be sent.  So a page like index.html that
is not normally authenticated will not receive the username, and no
<a href="/admin">Admin this page</a> will be possible.

I'm not 100% sure this is possible without the use of cookies.  I'm pretty sure
you could write some custom handler to handle the auth, but without a cookie
to note which users have authenticated, you might be out of luck.

Good luck,

Rob

Reply via email to