On Thu, Feb 12, 2009 at 3:49 PM, Michele Waldman <mmwald...@nyc.rr.com> wrote:
> I'm doing this:
>
> RewriteEngine On
> RewriteCond %{REMOTE_USER} .
> RewriteRule ^.*$ - [S=1]
> RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R]
>
> AuthType Digest
> AuthName "account"
> AuthUserFile /path/.htpasswd
> Require valid-user
>
> 1) The user is logged in.
> 2) The user logs out.
> 3) In ff, the user hits the backpage button.
> 4) The user gets a dialog box to login rather than being redirected.
>HTTP is stateless. You wrote a rule that wants to see if authentication has already occured, so on some level you're acknowledging that authentication is processed _before_ your rewrite. When you configure authentication for a resource, the very same code that would authenticate you will immediately prompt you for credentials if they're not provided. This happens before your per-directory rewrites have a chance to do anything. RewriteLog would likely tell you that the conditions/rules are not evaluated in this scenario, because the 401 is returned before the fixup hook where rewrite runs in per-dir context -- Eric Covener cove...@gmail.com
