On Thu, Feb 12, 2009 at 3:49 PM, Michele Waldman <mmwald...@nyc.rr.com> wrote: > I'm doing this: > > RewriteEngine On > RewriteCond %{REMOTE_USER} . > RewriteRule ^.*$ - [S=1] > RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R] > > AuthType Digest > AuthName "account" > AuthUserFile /path/.htpasswd > Require valid-user > > 1) The user is logged in. > 2) The user logs out. > 3) In ff, the user hits the backpage button. > 4) The user gets a dialog box to login rather than being redirected. >
HTTP is stateless. You wrote a rule that wants to see if authentication has already occured, so on some level you're acknowledging that authentication is processed _before_ your rewrite. When you configure authentication for a resource, the very same code that would authenticate you will immediately prompt you for credentials if they're not provided. This happens before your per-directory rewrites have a chance to do anything. RewriteLog would likely tell you that the conditions/rules are not evaluated in this scenario, because the 401 is returned before the fixup hook where rewrite runs in per-dir context -- Eric Covener cove...@gmail.com