Conrad Steenberg
conrad at hep.caltech.edu
Thu Aug 7 08:30:12 EST 2003
On Wed, 2003-08-06 at 22:47, Mike Looijmans wrote: > I think in this case, you may want to consider the alternative, which is to > just provide a 'regular' request handler, and when authentication is > required but not given, just return a "401 Unauthorized" response with a > WWW-Authenticate header specifying the realm. > That will give the user a password popup and the browser will then retry the > same request. Note that for large POST request, this is wasting a lot of > bandwidth, as the first (and therefore unauthorized) POST request will be > completely rejected! It may be better to direct the user to a GET page first > to authenticate, and only after that page start doing the POST things. Yes, eliminating this roundtrip is exactly what I'm trying to do. The problem is that Apache itself sends the 401 reply at some stage without bothering to consult my authenhandler ;-) Thanks for your reply! Conrad --
|