Krist van Besien wrote:
On Mon, Aug 11, 2008 at 11:56, mdn teo <mdnteo@xxxxxxxxx> wrote:But how can I force to skip login retries? I tried to set a custom 401 error page, redirecting to another page, but it redirects just after the "n" login attempts. I'd like to find a way to force the redirect to another page after the first failed login for all browsers.You can't do this easily, because of the way http authentication works. Basically a browser will always first request a password protected page without authentication details, and your server must always react to that with a 401. (or the user won't get a chance to authenticate) When a browser gets a 401 response it will prompt the user for a username and password, and retry the request, this time with an authentication header added. This for a number of times, set in the browser. What you want, is for your server to serve a 403 when a request comes in for a page with an authentication header already set, but with the wrong authentication data in the header. I don't think you can do this in an easy way, as apache itself will reply with a 401 as soon as authentication fails. the only possible solution I see is to program a custom authentication module (possibly in Perl) Krist
First, what Krist wrote above is totally correct. The following is just my own way of saying essentially the same thing. To do what you want to achieve :a) you would need to really understand how http authentication works, and understand that it is not specific to Apache : all httpd servers and browsers work in the same way, so it is not easy to change.
b) you would need to write (or have someone write for you) your own custom authentication mechanism and integrate it into Apache.
And yes, it could certainly be done using mod_perl.But it is not totally trivial, because it has to be done in a way that does not confuse the browser nor Apache about what is going on.
So, you need to think hard about how much this is worth to you, and if it justifies the effort. Also, considering your problem in a top-down fashion, you should know that the Basic Authentication mechanism built into Apache and the browser, is not the only way in which one can authenticate to an Apache server using a user-id and password. Other methods exist which would look similar to your users, be more secure, and in addition could do essentially what you want (the login page the first time, defaulting to something else in case of wrong userid/password).
For example, have a look at this : http://cpan.uwinnipeg.ca/htdocs/Apache-AuthCookie/Apache2/AuthCookie.html André --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|