[tbnl-devel] Authorized pages
Edi Weitz
edi at agharta.de
Tue Aug 10 14:59:14 UTC 2004
On 10 Aug 2004 16:49:24 +0200, d95-bli at nada.kth.se (Björn Lindberg) wrote:
> Am I correct now to believe that it is in reality Apache which takes
> care of the authorization, so that once a user gave a proper
> username and password, he will be authorized for the rest of his
> session?
No. The HTTP protocol has no concept of a "session" at all - each
request/reply pair is treated in isolation.
Basic authentication works like this:
0. Client sends a request.
1. The server somehow checks whether the client (the browser) has sent
the proper username and password. (These are encoded in a header
the client sends.)
How this is checked can be implemented in different ways. You can
ask Apache to handle this but in the examples just given (macro,
dispatcher, and so on) Apache was not involved but rather TBNL did
the checking.
2. If username and password are OK the server sends the requested
contents.
3. If they're not OK the server sends back a 401 (Unauthorized) return
code. It will also usually send back a "WWW-Authenticate" header
which reveals a "Realm" to the client. This action /might/ result
in a box popping up in your browser asking you to enter the
credentials.
This process can be repeated as often as needed. Note that no
knowledge of what happended in the past (no "session") is required for
this.
> So all that needs to be done is for each and every handler of access
> restricted pages to call tbnl:authorization and check for valid
> username and passwords?
Yes.
More information about the Tbnl-devel
mailing list