Edward Harvey wrote:
And how would users who have a different set of credentials they could use for this second URL enter those credentials? The RFC specifies a 401 response in this scenario to allow a UA to resubmit different credentials. You might not care about the RFC, but Apache and browsers mostly do. The behaviour you want goes against the behaviour described in the RFC, so to get it you would need to have a custom authorization system.Well, so I'm acknowledging there's no way to do what I want to do, but I'll respond to this anyway. Suppose somebody were to launch an FTP client and browse a remote site. If they attempt to access an area where they are denied access, they would get "access denied" and then they would know they got access denied with the current credentials. If they have another set of credentials, they will know they should reconnect with different credentials. If they're already authenticated and browsing along a website and try to access a restricted item, they don't get "access denied" they get "please enter your username/password" which is identical behavior as unauthenticated users. The users that I support generally think to themselves, "I thought I already did?" And they retry and retry until they finally conclude that isn't going to work. Each browser has a different way of allowing a user to re-authenticate with different credentials. Some have more than one way. So I acknowledge the world isn't perfect, you don't always get everything you want, but I do want you to acknowledge one thing, if you please: If a user is already authenticated, and they try to access something which is denied, then it is more useful to communicate to the user "Your current credentials were denied" and "You may now authenticate with different credentials if you wish" instead of giving them the "Please enter username/password" prompt which is identical to an unauthenticated user.
Without letting this degenerate into a flame.. (or is it a troll ?) You are probably right.But what the previous person was telling you, is that it is not a problem of Apache, it is a problem of the browser. The HTTP protocol RFC indicates what the server should do, which is to send a 401 response. There is a reason for that : the HTTP protocol is state-less, which means that each request is independent of previous and following ones.
In-between each request, the server forgets everything.So the server does not know that this is the nth time that this same user resubmitted a request with bad credentials, so it has to send the same answer each time.
And the answer can only consist of a status code, which is 401. The server does not control the dialog that the browser pops up.However, the browser knows (that this is the nth time this same request was refused because of wrong credentials), and the browser could pop up a different message in its dialog after it gets, say, 2 consecutive 401 responses. But this is a discussion to have with the people who make the browser, which is not what this list is about.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|