[prev in list] [next in list] [prev in thread] [next in thread]
List: spamassassin-users
Subject: Re: [users@httpd] Basic Auth Authentication Wonkiness with scripts or Static HTML not protected by B
From: "Kevin A. McGrail" <KMcGrail () PCCC ! com>
Date: 2012-01-17 0:00:06
Message-ID: 4F14BA06.8010302 () PCCC ! com
[Download RAW message or body]
re: http://httpd.apache.org/docs/2.2/howto/auth.html#possibleproblems
> I just wanted to point the following:
>
> Because of the way that Basic authentication is specified, your
> username and password must be verified every time you request a
> document from the server. This is even if you're reloading the same
> page, and for every image on the page
It's a good thought but this documentation points to a performance
issue. What I am detailing is better described as broken functionality
than a performance issue.
>
> So I think it is more the matter of how the particular browser handles
> this and I would say FF and IE have different ways. Have you tried the
> .htaccess approach with Opera, Chrome and Safari?
I haven't. As of yet, I haven't worked to fix the issue as much as
confirm the issue exists. My posting today shows over a year of
anecdotal evidence combined to create a report on a now reproducible
problem on multiple servers.
As we are starting to get cases where it works and doesn't work, (IE vs
Firefox and .htaccess vs <directory>), once I feel comfortable it's a
bug, I'll open a bug and support how I can fixing the bug.
> Also the way you had originally set your protection makes it logical
> that it will be applied to EVERY item in the directory right? So when
> you load the page with 10 photos lets say, you get prompt for password
> for each of them. Where is with the Directory tag approach you are
> prompt for credentials only when you access the directory.
My understanding doesn't agree. Isn't the browser STILL negotiating a
username/password for every resource in that directory? However, the
switch from .htaccess to httpd.conf has changed something in the
behavior that was triggering the bug in my tests so perhaps you are correct.
>
> You might also check the headers that the browsers send and see the
> difference, at least in FF there is http headers plugin for that not
> sure for IE though.
Sadly, I know how to manually check httpd headers and I use Chris
Pederick's amazing WebDev toolbar in FF. Beyond that, haven't got a
clue how to check in IE, though, and it would be off to google likely
using wireshark or something else that deviates from my core expertise.
Regards,
KAM
[Attachment #3 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
re: <a moz-do-not-send="true"
href="http://httpd.apache.org/docs/2.2/howto/auth.html#possibleproblems"
target="_blank">http://httpd.apache.org/docs/2.2/howto/auth.html#possibleproblems</a>
<br>
<br>
<blockquote
cite="mid:CAAKASGzd7xXz9mj0yr0+v1PN3ss96X4G3qaZmH0hiYFo7sgfwA@mail.gmail.com"
type="cite">I just wanted to point the following:
<div><br>
</div>
<div><span
style="color:rgb(0,51,102);font-family:Arial,Helvetica,sans-serif;font-size:14px;line-height:18px;background-color:rgb(255,255,255)">Because
of the way that Basic authentication is specified, your
username and password must be verified every time you request
a document from the server. This is even if you're reloading
the same page, and for every image on the page</span> <br>
</div>
</blockquote>
It's a good thought but this documentation points to a performance
issue. What I am detailing is better described as broken
functionality than a performance issue. <br>
<blockquote
cite="mid:CAAKASGzd7xXz9mj0yr0+v1PN3ss96X4G3qaZmH0hiYFo7sgfwA@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>So I think it is more the matter of how the particular
browser handles this and I would say FF and IE have different
ways. Have you tried the .htaccess approach with Opera, Chrome
and Safari? <br>
</div>
</blockquote>
I haven't. As of yet, I haven't worked to fix the issue as much as
confirm the issue exists. My posting today shows over a year of
anecdotal evidence combined to create a report on a now reproducible
problem on multiple servers.<br>
<br>
As we are starting to get cases where it works and doesn't work, (IE
vs Firefox and .htaccess vs <directory>), once I feel
comfortable it's a bug, I'll open a bug and support how I can fixing
the bug.<br>
<blockquote
cite="mid:CAAKASGzd7xXz9mj0yr0+v1PN3ss96X4G3qaZmH0hiYFo7sgfwA@mail.gmail.com"
type="cite">
<div>Also the way you had originally set your protection makes it
logical that it will be applied to EVERY item in the directory
right? So when you load the page with 10 photos lets say, you
get prompt for password for each of them. Where is with the
Directory tag approach you are prompt for credentials only when
you access the directory.</div>
</blockquote>
My understanding doesn't agree. Isn't the browser STILL negotiating
a username/password for every resource in that directory? However,
the switch from .htaccess to httpd.conf has changed something in the
behavior that was triggering the bug in my tests so perhaps you are
correct.<br>
<blockquote
cite="mid:CAAKASGzd7xXz9mj0yr0+v1PN3ss96X4G3qaZmH0hiYFo7sgfwA@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>You might also check the headers that the browsers send and
see the difference, at least in FF there is http headers plugin
for that not sure for IE though.<br>
</div>
</blockquote>
Sadly, I know how to manually check httpd headers and I use Chris
Pederick's amazing WebDev toolbar in FF. Beyond that, haven't got a
clue how to check in IE, though, and it would be off to google
likely using wireshark or something else that deviates from my core
expertise.<br>
<br>
Regards,<br>
KAM<br>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic