Re: False (?) 401 errors messages

From: Jon Mark Allen (jonmark_at_allensonthe.net)
Date: 12/18/03

  • Next message: Grzegorz Cegielski: "Re: RDP Client for Windows" 
    Date:  Wed, 17 Dec 2003 17:07:56 -0600
To: securityfocus@cae.tokimi.net

    >>> Chris Ess<securityfocus@cae.tokimi.net> 12/17/03 11:46:42 AM >>>

    If I remember correctly... And I may not...

    Whenever a web browser hits a password-protected page and it does not have
    a username and password for the page presented in the request header, it
    will receive a 401 response. It is this 401 response that prompts the web
    browser to ask the user to enter the username and password for this site.

    I don't know if you can do this, but... In your error document for 401's,
    query the username supplied. If the username is blank or undefined then
    it was an initial visit by a web browser and probably does not need to be
    logged if you're trying to log attempts to log in with a username/password
    pair. So, if it does not need to be logged, you should not need to send
    an email.

    This may be of some use to you:
    http://www.php.net/manual/en/features.http-auth.php

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

    Yes, your memory serves you (and me) well. Thanks.

    However, I followed the link to the PHP docs and it states that two AutoGlobal variables are created using PHP authentication called PHP_AUTH_USER and PHP_AUTH_PW (which store the obvious). However, I'm not really using PHP authentication, and apparently (as I've tried every way I know how) those variables aren't set or I can't get access to them using only Apache Authentication. Currently, I'm letting Apache handle the authentication routines and was hoping to only have to handle the exceptions. I'd rather not code an entire PHP authentication suite for this...

    So I guess my question now is: does Apache provide any header information or variables that could tell me if the user successfully authenticated?

    Thanks.

    Jon Mark

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Grzegorz Cegielski: "Re: RDP Client for Windows"

    Relevant Pages

    • way to get username & domainname?
      ... As transparent authentication don't require username & password, Web server don't get username from web browser. ... This way can display,but I must operate ActiveX popup windows. ...
      (comp.protocols.kerberos)
    • Re: False (?) 401 errors messages
      ... > email) when someone fails to authenticate to a secure website I'm ... Whenever a web browser hits a password-protected page and it does not have ... It is this 401 response that prompts the web ... browser to ask the user to enter the username and password for this site. ...
      (Security-Basics)
    • Re: wmv and htaccess
      ... So I assume your htacces file permits directory browsing, ... picking their files using their web browser in that mode? ... clicking a filename in this mode results in Media Player opening ... username and password when it opens. ...
      (microsoft.public.windowsmedia)
    • Re: Batch job submission using web page?
      ... > then you type into your web browser: ... There is one major issue to deal with: authentication, usernames and security. ... I am able to have a url point to a decnet object. ... under a specific VMS username. ...
      (comp.os.vms)
    • Re: Using URLName to construct a URL w/username + pwd
      ... The service I'm calling requires a username + password. ... > When called with a web browser there is a popup window asking for username ... > service without having the Authentication window. ...
      (comp.lang.java.developer)