Warning: Table './jdarx_drupal/sessions' is marked as crashed and should be repaired query: SELECT u.*, s.* FROM users u INNER JOIN sessions s ON u.uid = s.uid WHERE s.sid = 'aafaa27f09a6e8a5c161b32e501e300c' in /f2/jdarx/public/includes/database.mysql.inc on line 172

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 899

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 531

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 532

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 533

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 534
Optional HTTP Authentication | wayland's Computer Stuff

Optional HTTP Authentication

warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/common.inc on line 141.
Posted November 21st, 2007 by wayland
in

Optional HTTP Authentication is possible. This article describes how.

Table of Contents

  1. Problem
  2. Solutions
    1. Immediate solution: mod_perl optional HTTP authentication
    2. Medium-term solution: Simple Apache optional HTTP authentication
    3. Long-term solution: Change the RFC

Problem

Optional HTTP authentication would be useful in a case where a website was visible without authentication, but more features or content are available with authentication.

Some have claimed that optional HTTP authentication is not possible. This is not actually the case, but support for it could be improved.

Solutions

The first two solutions, neither of which requires changes to the RFC, have the same basic process; that pages on the site will not insist on any HTTP authentication (ie. will not by default send WWW-Authenticate headers), but will be willing to accept HTTP authentication from the browser. The only exception is the page that is the target of the "Login" link; it should insist on authentication. Once this has been done, the browser will resend authentication to any page on the site, and it can be picked up and used by those pages as they see fit.

The idea behind these solutions was derived from Mr. John Hanely's comment on the article HTTP Authentication Woes by Mr. Bill Venners.

Immediate solution: mod_perl optional HTTP authentication

After having read the above process, there are a few links that might be relevant here:
  1. mod_perl: Protecting Your Site
  2. Self-registering password protection, by Randal Schwartz

These should enable you to implement something appropriate in mod_perl. I actually have a module suite which I hope someday to post to CPAN which does optional HTTP authentication using any of the Authen::Simple modules as its backend, and can use either HTTP authentication or session-based (ie. cookies) authentication as its frontend. It also works with HTML Mason.

Medium-term solution: Simple Apache optional HTTP authentication

I've suggested to the Apache project that they could implement optional HTTP authentication. I've suggested this at httpd bug 41685. Unfortunately I'm unaware of any reponse to this, but the change should be entirely possible.

Long-term solution: Change the RFC

Mr. Charles Miller, in Saving HTTP Authentication, offers a solution, but it involves changing the HTML RFC. While this is the best long-term solution, it's not an immediate solution.

Bookmark/Search this post with: