On Wed, Feb 27, 2002 at 09:31:21PM +0100, Magnus Lie Hetland wrote:
> Mike Orr <iron@...>:
> > The rules above are copied straight from my old Zope install. I haven't
> > tried them with Webware.
> Well, they seem correct. The odd thing is that I can't seem to set the
> environmentvariable through the E rewrite directive.
I'm pretty sure there's more to it than the rewrite rule. There's a
security issue. To explain, if user A (at http://whatever.com/~A) has
authentication, and then the browser user goes to B's site
(http://whatever.com/~B) and they get a 401, they'll pass their cached
username and password. This is fine if Apache does the checking, but if
you pass the password directly to the script then you've introduced a
significant security hole, because B was given the password.
mod_rewrite rules can be in your .htaccess, so it's a problem.
If you read closer into the Zope docs, I feel like there was a specific
configuration setting you had to change to get the rewrite rules to
> > Some disadvantages of Basic Authentication:
> > ** You can't customize the login dialog except the short "realm name"
> > string. If users are confused about why they are being asked for a
> > password, there's no way to provide a "click here for help" hyperlink.
> True. I can live with that -- especially if you have an intro screen
> with a help link etc, and a "log in" button/link or something.
True. I think you can also send a 401 and a page, so if they cancel
they'll get the page you sent -- which can have links about forgotten
passwords and all that. TWiki does this, I think.
> > ** Users can't log out without quitting the browser. There's no way
> > to provide a "logout" button because the browsers don't provide that
> > feature.
> I've heard that said before... Wouldn't it be a simple matter of
> providing the "unauthorized"/401 header/status again, and then have
> the user clicking cancel?
I think you'd have to test it out, as I'm not sure this is the case. A
smart script could send a 401, get the username/password, and then send
the 401 a second time... that might not work either -- though it would
allow someone to log in as a different username. Otherwise if you have
access to the password, maybe you could force them to login with a blank
password (or even just any incorrect password) as an alternative for a