mod_radius, apache2 and the auth cookie.

Kris Benson kbenson at
Tue Aug 2 17:20:53 CEST 2005

FreeRadius users mailing list <freeradius-users at> on
August 2, 2005 at 01:55 -0800 wrote:
>>   Was was pointed out, you'll get authentication dialogs for every gif
>> & jpg on the page.  This is a BAD idea.
>The gifs etc are located in an unprotected directory, surely this prevents
>from having to re-authenticate for each?

In theory, yes.  However, this has been nixed by most browsers, in that
"mixed content" presents a security risk.  Your IE users will see a
message saying "This page contains both secure and non-secure items..." at
least on first connect, the FF users may not even get that -- I don't
recall what happens with mixed content in FF.

>> > If I get a failed login, then try to login again it just uses cached
>> > credentials and doesn't prompt for details, if I close and re-open the
>> > browser it does then allow me to enter details.
>>   Then your browser is broken.
>Firefox and Opera are also broken in that case. :-(
>A bit of a dig around reveals this from the Apache site, which implies
>all browsers cache the credentials.

It sounds to me like the server isn't sending the correct error code for
auth-failed, thus the browser thinks it's OK to use the old credentials.

Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

More information about the Freeradius-Users mailing list