in reply to Apache AuthType problem

This sounds like a problem I encountered last week, although it's hard to tell without seeing your code.

Before returning AUTH_REQUIRED, you need to call $r->note_basic_auth_failure, otherwise the WWW-Authenticate HTTP header isn't returned, so the browser doesn't ask the user to re-enter their username and password.

Strictly speaking, you should return FORBIDDEN from a PerlAuthzHandler which is called after the PerlAuthenHandler. This gives you the flexibility to deal with authentication and authorisation in different stages. You can use $r->notes to pass variables between separate handlers.

If you want to give the user three chances only, you'd need to store some session data, possibly using Apache::Session. However, I can't see the advantage of this, as malicious clients will find some way of pretending to be someone else (User-Agent modification, dispose session cookies, etc.) then send three more requests.

Replies are listed 'Best First'.
Re: Re: Apache AuthType problem
by Jonathan (Curate) on Feb 21, 2001 at 21:28 UTC
    Hmmm, not to sure I understand what you mean (One day I promise to stay awake long enough to read more than the first paragraph of the http specification). I've already got the $r->note_basic_auth_failure; call in the code
    The code is very straightforward 
    sub handler {
    my $r = shift;

    my($res, $sent_pw) = $r->get_basic_auth_pw;

    return $res if $res != OK;

    my $user = $r->connection->user;
    unless($user and $sent_pw) {
        $r->note_basic_auth_failure;
        $r->log_reason("Both a username and password must be provided"
+,
                        $r->filename);
        return AUTH_REQUIRED;
    }

    [download]
    And at the end 
        return FORBIDDEN if ($encrypt_passwd ne $glas_password);

    # Got this far - guess we can let them in
    return OK;
}

1;
__END__

    [download]
[reply]
[d/l]
[select]
      At the end where you have 
      return FORBIDDEN if ($encrypt_passwd ne $glas_password);

      [download]
      you should have 
      if ($encrypt_passwd ne $glas_password) {
    $r->note_basic_auth_failure;
    $r->log_reason("Invalid password", $r->filename);
    return AUTH_REQUIRED;
}

      [download]

      Returning FORBIDDEN tells the client that their credentials are valid (ie. they entered a valid username/password combination) but that they aren't allowed to access this resource.

      I suggest you take a quick look at the difference between PerlAuthenHandler and PerlAuthzHandler. As I mentioned earlier in this thread, you shouldn't use FORBIDDEN in a PerlAuthenHandler.

      I know what you mean about the HTTP spec, I've been meaning to read it thoroughly for the past 6 years, but it's too scary :-)

[reply]
[d/l]
[select]
[reply]

In Section Seekers of Perl Wisdom