From owner-freebsd-security@FreeBSD.ORG  Sat Dec 13 23:59:01 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1360416A4CE
	for <security@freebsd.org>; Sat, 13 Dec 2003 23:59:01 -0800 (PST)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD3743D36
	for <security@freebsd.org>; Sat, 13 Dec 2003 23:58:56 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id AAA08848;
	Sun, 14 Dec 2003 00:57:28 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031214005309.04ba9528@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Sun, 14 Dec 2003 00:57:04 -0700
To: "Matthew D. Fuller" <fullermd@over-yonder.net>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20031214054519.GD78055@over-yonder.net>
References: <6.0.0.22.2.20031210115335.04c2fc50@localhost>
 <20031210093927.70c87960.amonk@gnutec.com>
 <6.0.0.22.2.20031210124332.04e94ac0@localhost>
 <16343.33321.632599.190251@oscar.buszard-welcher.com>
 <6.0.0.22.2.20031210173916.04f57be8@localhost>
 <20031211101551.GA27435@nikkel.com>
 <6.0.0.22.2.20031213193447.04e80930@localhost>
 <20031214054519.GD78055@over-yonder.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
cc: Kyle Amon <amonk@gnutec.com>
cc: security@freebsd.org
Subject: Re: s/key authentication for Apache on FreeBSD?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2003 07:59:01 -0000

At 10:45 PM 12/13/2003, Matthew D. Fuller wrote:

>HTTP AUTH sends the user/pass strings with every request (more precisely,
>the browser caches what you put in, and sends it every time the server
>returns a 401 with the same realm name.)

I apologize; I wasn't being clear. My question was, does the Apache
server then send the user name and password on to the library that
is doing authentication every time? Or does it recognize that the
user and password (and/or IP) are the same as before and allow
subsequent hits?

--Brett