|
Home > Archive > Apache Server configuration support > November 2006 > Palm Treo Asks for Password Repeatedly on Password-Protected Site
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Palm Treo Asks for Password Repeatedly on Password-Protected Site
|
|
| samxnguyen@gmail.com 2006-11-28, 7:28 pm |
| I have a site that is password-protected using Basic Authentication
against the passwd file. When I view this site on a Palm Treo, I get
prompted for the password for every single request -- every image,
JavaScript file, and HTML file.
How can I make Apache save the authentication and not ask for the
password for every request?
TIA,
Sam
| |
|
| <samxnguyen@gmail.com> schreef in bericht
news:1164760200.005143.236640@j72g2000cwa.googlegroups.com...
>I have a site that is password-protected using Basic Authentication
> against the passwd file. When I view this site on a Palm Treo, I get
> prompted for the password for every single request -- every image,
> JavaScript file, and HTML file.
>
> How can I make Apache save the authentication and not ask for the
> password for every request?
>
That's not to the server, the client should automagically repeat the
authentication to each but the first request.
HansH
| |
| shimmyshack 2006-11-29, 7:31 am |
| it could be - im not saying it is! - just a matter of the trio caching
the requests, and not remembering the crendentials for those "cached"
requests it hasnt made yet.
try using basic authentication for a page which is just one html page
with no images, no css, no other http requests at all. Then ask the
user to click on a link to carry on, does it once again ask for the
crednetials if so, the trio isnt worth much to you.
I guess since in basic auth the crendentials are sent and received in
plain text (as base64 encoded i think) can you try using links in the
form
http://user:password@domain.com/
this used to be one of the ways to do this kind of thing before it was
relasised that it could be used to create "pretend" urls.
try it, you never know. And you can base64encode it so much the better,
but remember - basic auth isnt up to much anyway.
| |
|
| Okay I think I'm onto something. I looked into the access_log and found
that the client keeps changing IP addresses, probably having something
to do with the way the GSM network processes web requests.
Am I right to assume that the changing IP address causes the server to
"forget" that the client was logged in?
| |
| shimmyshack 2006-11-29, 7:24 pm |
| the process works by exchanging headers. nothing more or less. many
clients have changing IP addresses due to proxies.
basic authentication is just that. basic.
http://www.faqs.org/rfcs/rfc2617.html
if YOU have specified that only a certain IP can gain entry thats
another question. (see Allow, Deny in apache docs)
| |
|
| I see, so the changing IP address wasn't the issue.
This is what my configuration file does:
/ (root dir): Deny all
/var/www/html:
Basic Authentication
Allow from local subnet
Require valid-user
Satisfy any
And what the client would do is authenticate against /var/www/html
then request authentication for each subdirectory that it needed access
to:
/var/www/html/subdir/a
..../subdir/b
..../subdir/c
..../subdir/d
So it would ask for my password 5 times, then after that it would be
fine.
I worked around this problem by disabling authentication to
/var/www/html/subdir (it wasn't really necessary).
Thanks so much for your help shimmyshack and HansH
| |
| shimmyshack 2006-11-29, 7:24 pm |
| thats a good solution for your user_agent, however I dont believe that
is the correct behaviour for a client.
here is the relevant part of the rfc for a client with basic auth:
sorry its a bit long, the first part is just how to do it manually
(ajax for instance) the second paragraph is the part referring to the
path depth.
If you want to test the user-agent for compliance run fiddlertool or
paros or some such proxy on a machine not on the local subnet, and then
put the proxy details into the user-agent and look at the headers
flying back and forth. It is my opinion that (provided other user
agents work as expected) it isnt conforming to standards in repeatedly
asking for the credentials.
good luck, and pleased you could find a clever work-around.
---------------
To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 [7]
encoded string in the credentials.
basic-credentials = base64-user-pass
base64-user-pass = <base64 [4] encoding of user-pass,
except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
Userids might be case sensitive.
If the user agent wishes to send the userid "Aladdin" and password
"open sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value
of
the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
Similarly, when a client sends a request to a proxy, it may reuse a
userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server. See section 4 for
security considerations associated with Basic authentication.
---------------------------
|
|
|
|
|