On Thu, 2007-01-11 at 15:01 -0800, Tracy12 wrote: > My intention is not to use the authentication provided by the apache, but > uses a authentication mechanism by CAS (Central Autthentication Service) > running else where
If you intend to use HTTP basic auth (with the popup window that asks for your login), you still are using apache's auth mechanism. You may have a custom source for your data, but you still need to follow the standard auth API. > After successful authentication we need to pass the > control to another application(which is running on the same apache server) > which depend on the REMOTE_USER value which we set. That will work fine, as long as your auth handler runs in the same request as the thing that wants to look at REMOTE_USER. If you do an external redirect, that creates a totally separate request from the client. You need to set your handler as the auth handler for the location that you want to protect, not go the auth handler and then redirect to the location. > Do you still think we need to pass the value as a cookie, what about the > security? Well, basic auth has lousy security. It doesn't encrypt anything, so it's not secure unless you run over SSL. It is enough for many applications though. - Perrin
