Date: Sat, 13 Dec 2003 23:45:19 -0600 From: "Matthew D. Fuller" <fullermd@over-yonder.net> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? Message-ID: <20031214054519.GD78055@over-yonder.net> In-Reply-To: <6.0.0.22.2.20031213193447.04e80930@localhost> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <20031211101551.GA27435@nikkel.com> <6.0.0.22.2.20031213193447.04e80930@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Dec 13, 2003 at 07:35:43PM -0700 I heard the voice of Brett Glass, and lo! it spake thus: > At 03:15 AM 12/11/2003, bruce@nikkel.com wrote: > > >If the basic auth string was not included in an http request, the > >webserver would generate a error 401 (Unauthorized). Check out RFC 2617 > >(HTTP Authentication: Basic and Digest Access Authentication). > > True. But does it authenticate again? Or merely recognize that you're > the same person you were before and let you through? HTTP AUTH sends the user/pass strings with every request (more precisely, the browser caches what you put in, and sends it every time the server returns a 401 with the same realm name.) -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031214054519.GD78055>