On Tue, 24 May 2005 Drew.Shelton@xxxxxxxxxxxx wrote: > > -----Original Message----- > > From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx] > > Sent: Tuesday, May 24, 2005 4:26 AM > > To: users@xxxxxxxxxxxxxxxx > > Subject: RE: [users@httpd] Automatic script execution whenever a > > directory is referenced > > > > > > > -----Original Message----- > > > From: Drew.Shelton@xxxxxxxxxxxx [mailto:Drew.Shelton@xxxxxxxxxxxx] > > > Sent: Montag, 23. Mai 2005 22:35 > > > To: users@xxxxxxxxxxxxxxxx > > > Subject: [users@httpd] Automatic script execution whenever > > a directory > > > is referenced > > > > > > > > > I want to setup password protection on all files served in a > > > directory. I want the authentication to expire without > > > relying on the user to kill the browser session, so I'm > > > pretty sure I must do that from the server side rather than > > > Apache basic authentication because of the browser cache. I > > > don't know what the "best" way is to do that, but my idea is > > > to configure my directory to have a CGI script run > > > automatically before any file within that directory is > > > served. Is this possible? > > > > Not using basic authentication. > > > > There is no concept of expiration in basic_auth. The browser > > sends the credentials with every subsequent request in the > > same realm. The only way to "expire" the browser is to shut it down. > > I know that I can't use basic authentication for expiring passwords. > I attempted to say that in my original message. > > > On the server side, you only ever get a request with or > > without an Authorization header. If it's with a valid auth > > header, you serve the content. > > > > The only way to expire logins is with session management (ie, > > cookies). > > But is there a way to trigger a CGI script with every reference to a > particular directory? > > Thanks, > Drew > Owen's last point is the key one. You should use some form of session management to do this, and there are many options for that. For your "CGI" idea, you'll need to write your own authentication handler for files in that directory, written as a module, of course. At that point, session management starts to look a whole lot easier. [Warning! Nitpicky technical details follow!] To directly answer your question, yes, there are ways to trigger code with every reference to a particular directory. You could ReWrite all requests for files in that directory to a CGI script with the filename as a parameter, but then you'd have to be sure to handle the authentication correctly yourself, *and* serve the file yourself because the ReWrite would just send a redirect back to the script. Not advisable for a site that sees a significant level of traffic. You could write your own content handler for that directory, but that means writing an Apache module, and breaking the conceptual model of the Apache request life cycle by including authN/authZ stuff in the content phase. But, since that means writing a module anyway, you should play nicely with others and write it instead as an authentication handler, invoked before the content phase, as I mentioned earlier. Overall, though, a session manager that allows you to immediately expire existing sessions when they make a request for that directory, thus invoking the normal HTTP authentication and content phases, makes the most sense for what you're trying to do. HTH! Craig --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|