Hi all, In DLSS, we're working on an application that allows public access to some material, but WebAuthed users may receive additional access based on SUnet ID or workgroups. We've successfully added WebAuth to our application. When we require WebAuth across the whole application, everything works as expected (users are prompted by webauth as-needed, the application receives the WebAuth credentials, etc). When we use WebAuthOptional to let anonymous/public users into the website, our application does not receive the WebAuth information from users who signed in to WebAuth through a different website.
Here's the relevant part of our apache config: > <Directory /hydrus/current/public> > AuthType WebAuth > require valid-user > > # Lookup Webauth, but don't enforce. > WebAuthOptional on > > Order allow,deny > Allow from all > AllowOverride all > Options -MultiViews > </Directory> > > <Location "/users/auth/webauth"> > AuthType WebAuth > Require valid-user > WebAuthOptional off > </Location> As I said, this works fine when the user obtains their WebAuth credentials directly from our site (either by WebAuthing the first time, or by going to the /users/auth/webauth URL manually). However, if a user obtained their initial credentials in a session from a different application (e.g webcal), our application does not receive their WebAuth information (presumably because the webauth_at cookie isn't set within scope for our application). If the user visits our /users/auth/webauth path, the cookies do get set as expected. Has anyone else run into this problem before? Is there a work-around we should use (a .stanford.edu cookie that could tell us the user is WebAuth-able, a graceful way to 'try' WebAuth without interrupting the user, etc)? In the meantime, we're requiring the user to explicitly sign-in to the application, but it would be nice to make this a seamless SSO process. Thanks, Chris Beer QA Engineer Digital Library Systems and Services
