From owner-freebsd-questions Thu Dec 7 14:15:39 1995 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA26846 for questions-outgoing; Thu, 7 Dec 1995 14:15:39 -0800 (PST) Received: from itsdsv1.enc.edu (itsdsv1.enc.edu [199.93.252.241]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA26841 for ; Thu, 7 Dec 1995 14:15:33 -0800 (PST) Received: from dingo.enc.edu (dingo.enc.edu [199.93.252.229]) by itsdsv1.enc.edu (8.6.11/8.7.2 rev 08/22/95) with SMTP id RAA07600 for ; Thu, 7 Dec 1995 17:13:40 -0500 Message-ID: <30C7674F.2781E494@enc.edu> Date: Thu, 07 Dec 1995 17:14:39 -0500 From: Charles Owens Organization: Eastern Nazarene College X-Mailer: Mozilla 2.0b3 (X11; I; FreeBSD 2.1-STABLE i386) MIME-Version: 1.0 Newsgroups: comp.infosystems.www.servers.unix CC: freebsd-questions@freebsd.org Subject: Re: problem with .htaccess and apache (uh-oh**) References: <30C74676.41C67EA6@enc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org Precedence: bulk Charles Owens wrote: > > Hi, > I'm running apache v1.0 on an AIX 3.2.5 box and have noticed some bad > behaviour in terms of my .htaccess files. Basicly, I can almost always > get around the restriction!!!!!!! > > An example - here's my .htaccess file, let's say from the > directory /www/foo > > AuthUserFile /otherdir/.htpasswd > AuthGroupFile /dev/null > AuthName FooPages > AuthType Basic > > > require valid-user > > > In /otherdir I have the required .htpasswd file. If, with my > browser, I try to access /www/foo (http://www.foo.net/www/foo) then > I'm presented with the expected authentification dialog box. If I enter > the correct name and password I'm allowed access. But let's assume that > I instead hit cancel. I'm presented with a page that says I'm not > authorized. Fine. Now, I hit the browser's BACK button, and then, on a > whim, I hit the FORWARD button. Guess what? I'm suddenly presented > with the restricted page!!!!!!! If I click on a link in this page I can > get to it with the same steps: Cancel, Back, Forward. > > This doesn't seem right. What am I doing wrong? > > Just in case it matters (which it better not) I'm using Netscape 2.0b3 > on a FreeBSD 2.1-stable system. WOW!!!! I just tried to reproduce this behaviour using Netscape 1.1N on Windows 3.11 box and COULDN'T!!! And... I downloaded the Windows3.1 version of 2.0b3 and it also wouldn't do it. So, it would seem that the problem lies with the Unix verion of 2.0b3 I'm using (actually the BSDI 1.1 binary). So, if in fact I've setup my .htaccess file correctly (see above) then this implies that the .htaccess scheme may be compromised by some fluke (feature? :-) in the implementation of the browser. This seems, to me, VERY DISCONCERTING!!!!! Comments? --- ------------------------------------------------------------------------- Charles Owens Email: owensc@enc.edu "I read somewhere to learn is to Information Technology Services remember... and I've learned that Eastern Nazarene College we've all forgot..." - King's X -------------------------------------------------------------------------