Security Basics mailing list archives
Re: False (?) 401 errors messages
From: "Jon Mark Allen" <jonmark () allensonthe net>
Date: Wed, 17 Dec 2003 17:07:56 -0600
Chris Ess<securityfocus () cae tokimi net> 12/17/03 11:46:42 AM >>>
If I remember correctly... And I may not... Whenever a web browser hits a password-protected page and it does not have a username and password for the page presented in the request header, it will receive a 401 response. It is this 401 response that prompts the web browser to ask the user to enter the username and password for this site. I don't know if you can do this, but... In your error document for 401's, query the username supplied. If the username is blank or undefined then it was an initial visit by a web browser and probably does not need to be logged if you're trying to log attempts to log in with a username/password pair. So, if it does not need to be logged, you should not need to send an email. This may be of some use to you: http://www.php.net/manual/en/features.http-auth.php Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) Yes, your memory serves you (and me) well. Thanks. However, I followed the link to the PHP docs and it states that two AutoGlobal variables are created using PHP authentication called PHP_AUTH_USER and PHP_AUTH_PW (which store the obvious). However, I'm not really using PHP authentication, and apparently (as I've tried every way I know how) those variables aren't set or I can't get access to them using only Apache Authentication. Currently, I'm letting Apache handle the authentication routines and was hoping to only have to handle the exceptions. I'd rather not code an entire PHP authentication suite for this... So I guess my question now is: does Apache provide any header information or variables that could tell me if the user successfully authenticated? Thanks. Jon Mark --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- False (?) 401 errors messages Jon Mark Allen (Dec 17)
- Re: False (?) 401 errors messages Chris Ess (Dec 17)
- <Possible follow-ups>
- Re: False (?) 401 errors messages Jon Mark Allen (Dec 18)