False (?) 401 errors messages

From: Jon Mark Allen (jonmark_at_allensonthe.net)
Date: 12/17/03

  • Next message: Simos, Ioannis: "RE: looking for security articles"
    Date:  Wed, 17 Dec 2003 10:34:28 -0600
    To: security-basics@securityfocus.com

    I've written a custom 401 error page (using php) to notify me (via email) when someone fails to authenticate to a secure website I'm managing. The only problem is that I get an email for _every_ access — not just the ones that fail.

    The secure/protected portion of the site is forced over https. The only script that sends me this email is the 401 error page, yet when I log in, I see the correct page but still get an email! I've run a sniffer on my client when I accessed the page, but of course since it's over https, that doesn't help much. I do see a few packets to the effect of
     Protocol: TLS, Packet Body: Encrypted Alert (21)

    I've searched google (briefly) for this and haven't found anything.

    Also, my .htaccess file looks something like this:

    AuthType Basic
    AuthName "authName"
    AuthUserFile /<path outside of user-accessible space>/passwd

    require valid-user
    RequireSSL on

    ErrorDocument 401 /<local path outside of protected space>/401.php

    If you really want to see what the 401.php file looks like, I can send it, but I really don't think that's the problem. The question is _why_ it's being called in the first place??

    Thanks again for all your help!

    Jon Mark


  • Next message: Simos, Ioannis: "RE: looking for security articles"

    Relevant Pages

    • Parsing .htaccess file
      ... I want to parse the contents of an .htaccess file from within PHP. ... AuthUserFile /foobar ... AuthName "Foobar" ... Require user FOOBAR ...
    • servlet et .htaccess
      ... i'm trying to access a file with a servlet This file is ... protected by the .htaccess file. ... AuthName "Accès administration" ...