RE: mod_radius, apache2 and the auth cookie.
Hi,
Was was pointed out, you'll get authentication dialogs for every gif & jpg on the page. This is a BAD idea.
The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each?
If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details.
Then your browser is broken.
Firefox and Opera are also broken in that case. :-( A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq Thanks, Jezz Palmer.
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 2, 2005 at 01:55 -0800 wrote:
Hi,
Was was pointed out, you'll get authentication dialogs for every gif & jpg on the page. This is a BAD idea.
The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each?
In theory, yes. However, this has been nixed by most browsers, in that "mixed content" presents a security risk. Your IE users will see a message saying "This page contains both secure and non-secure items..." at least on first connect, the FF users may not even get that -- I don't recall what happens with mixed content in FF.
If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details.
Then your browser is broken.
Firefox and Opera are also broken in that case. :-(
A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq
It sounds to me like the server isn't sending the correct error code for auth-failed, thus the browser thinks it's OK to use the old credentials. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
"Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk> wrote:
The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each?
Yes.
A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq
Well, that's changed since I wrote the module. It's irritating as heck, too. The only solution is to take a hint from mod_securid, and put the username & password on an auto-generated HTML page, where the browser won't cache them. That would involve a complete re-write of the module, though. Alan DeKok.
participants (3)
-
Alan DeKok -
Kris Benson -
Palmer J.D.F.