mod_radius, apache2 and the auth cookie.
Kris Benson
kbenson at sd57.bc.ca
Tue Aug 2 17:20:53 CEST 2005
FreeRadius users mailing list <freeradius-users at lists.freeradius.org> on
August 2, 2005 at 01:55 -0800 wrote:
>Hi,
>
>> Was was pointed out, you'll get authentication dialogs for every gif
>> & jpg on the page. This is a BAD idea.
>
>The gifs etc are located in an unprotected directory, surely this prevents
>from having to re-authenticate for each?
In theory, yes. However, this has been nixed by most browsers, in that
"mixed content" presents a security risk. Your IE users will see a
message saying "This page contains both secure and non-secure items..." at
least on first connect, the FF users may not even get that -- I don't
recall what happens with mixed content in FF.
>> > If I get a failed login, then try to login again it just uses cached
>> > credentials and doesn't prompt for details, if I close and re-open the
>> > browser it does then allow me to enter details.
>>
>> Then your browser is broken.
>
>Firefox and Opera are also broken in that case. :-(
>
>A bit of a dig around reveals this from the Apache site, which implies
>that
>all browsers cache the credentials.
>http://httpd.apache.org/docs/howto/auth.html#basicfaq
It sounds to me like the server isn't sending the correct error code for
auth-failed, thus the browser thinks it's OK to use the old credentials.
-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)
More information about the Freeradius-Users
mailing list