On Mon, Jul 01, 2002 at 10:30:36AM +0100, Jean-Michel Hiver wrote: > > > browser sent the credentials, or leave $ENV{REMOTE_USER} undef > > > otherwise, without sending a 401 back. > > > > I didn't think a browser would send authentication unless the server > > requested it for an authentication domain. How are you going to > > get some people to send the credentials and some not unless you > > use different URLs so the server knows when to request them? > > The idea is that on a "location" which requires authentication I'll > redirect the user to a /login.html, or maybe a /?login=1 which will do > the following:
Umm... Perhaps I don't understand the significance of the login.html. Under HTTP auth, if a page is protected via .htaccess then auth is immediatly requested, and no redirect is possible. More important is the fact that if a page does not require authentication, the users login and password will not be sent. So a page like index.html that is not normally authenticated will not receive the username, and no <a href="/admin">Admin this page</a> will be possible. I'm not 100% sure this is possible without the use of cookies. I'm pretty sure you could write some custom handler to handle the auth, but without a cookie to note which users have authenticated, you might be out of luck. Good luck, Rob