Thank you so much for the insight. Your thoughts are very valuable. I'll be digging into the CookieAuth module to see what I can see. After I look at it just a bit, it may be that I can just use CookieAuth as it is, or with minor tweaks and a big authentication routine. It would deny authentication, but set a different cookie after "phase 1"; and grant authentication with a good "phase 1" cookie and proper "phase 2" responses.
You'll hear from me again, as I find other questions, or if a miracle happens and I complete the project and get something that works. Thank you again! Matt On Mon, Dec 20, 2010 at 6:40 PM, André Warnier <a...@ice-sa.com> wrote: > > Talking about HTTP authentication, that's a good plan. > Unfortunately sometimes difficult to follow, because HTTP authentication is > full of twists and turns that don't usually let you do things stepwise. > > There is already plenty of stuff in the above paragraph to be answered. > > What the browser displays in the title bar of its embedded authentication > mechanism, is nothing else than the content of the "realm" of the "auth > required" header that it receives back from the server. So you could > "trick" that by fabricating this header (and the 401 response) yourself, > instead of letting Apache send it. ... [snip]...
