Thanx...I used ethereal to see the flow of data between browser and server...one point though...I was able to see my password in clear text in ethereal. So it is possible that it could be open to the public ?? Anand ----- Original Message ----- From: "Boyle Owen" <Owen.Boyle@xxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Thursday, May 12, 2005 1:37 PM Subject: RE: [users@httpd] Basic Authentication question > -----Original Message----- > From: K Anand [mailto:kanand@xxxxxxxxxxxxxx] > Sent: Donnerstag, 12. Mai 2005 05:52 > To: users@xxxxxxxxxxxxxxxx > Subject: Re: [users@httpd] Basic Authentication question > > > you didn't understand what I was asking...The config I have > included is > working ..I have used htpasswd and everything is working > fine....All I want > to know is how does apache know that I have already > authenticated or not ? The first time the client requests a resource in a protected realm, it doesn't know it is protected so makes a plain request. The server responds with a 401 Unauthorized. The client then pops up a password window and captures the username/password (aka, the credentials). The client repeats the request but this time adds an Authorization header containing the credentials. The server gets the request and verifies the credentials, if OK, it serves the resource. The client caches the credentials and for all subsequent requests in the same realm, it adds the same Authorization header - that's how you stay "logged in". That's also how it is really hard to get the browser to "forget" your password - even if you surf off to a different site and come back a day later, it'll remember your credentials and send them off again. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > Anand > > ----- Original Message ----- > From: "Chris Winfield-Blum" <chris@xxxxxxxxxxxxxxx> > To: <users@xxxxxxxxxxxxxxxx> > Sent: Thursday, May 12, 2005 9:14 AM > Subject: Re: [users@httpd] Basic Authentication question > > > > you will have to use the htpasswd tools located in your > apache bin to > > create the password file. then you point that directory to > that file: ie: > > > > /etc/httpd/conf/passwd/passwords > > > > This should do that you need :) > > > > K Anand said the following: > > > > >Hi all, > > > > > >I have a very basic question regarding authentication on > apache...I have > in > > >my httpd.conf a section like below : > > ><Directory "/var/www/cgi-bin"> > > > AuthType Basic > > > AuthName "By Invitaion Only" > > > AuthUserFile /etc/httpd/conf/passwd/passwords > > > Require valid-user > > > > > > AllowOverride None > > > Options ExecCGI > > > Order allow,deny > > > Allow from all > > ></Directory> > > > > > >So whenever a browser first sends a cgi-bin request, > authentication is > done > > >by userid and password...Whenever subsequent requests come > for cgi-bin, > > >authentication is not required provided the browser has > not been closed. > How > > >is this done ? > > > > > >I know that this is not a problem but I would like to know > just for my > > >information. > > > > > >Thanx > > >Anand > > > > > > > > > >--------------------------------------------------------------------- > > >The official User-To-User support forum of the Apache HTTP Server > Project. > > >See <URL:http://httpd.apache.org/userslist.html> for more info. > > >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP > Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx