hiya, well, as you may know i'm new to this, and just created mod_auth_xvl and mod_access_xvl. so please excuse me for not knowing how everything fits together. specifically, i have some design issues to resolve. firstly, mod_access_xvl is more like a mod_auth than a mod_access. i.e. you need to do per-directory config _but_ i need a username to do it! whoopsie. but i noticed that mod_accesses are caled before mod_auths, so you don't get an r->connection_>user oops! so i have to make mod_access_xvl actually call the user-checking function. oh dear. did i get that right? now, my qustion is, in amongst all this bad typing on a v. slow link, is, if you _have_ an r->connection->user, can i assume that the user has _been_ authenticated? can mod_xvl - which serves web content - treat the r->connection->user _as_ authenticated? see, what i want to do is to 'cut out' the cookie-based authentication if people want to. but ithat means that i will need to pass the authenticated user TO xvl. i can read the headers, it's HTTP/basic auth, big deal, done that. but i want to cut that stage out, it's currently duplicated inside xvl. so, not only does apache do HTTP basic auth, but also xvl. the one in xvl has to be disableable, and to 'trust' apache, instead. so, what do i do? :) :) am i on the right tracks? all best, luke p.s. much apprecite if you could cc me because i am only post-rights to new0httpd, i check the archive but it's 2mb download :)
