[tbnl-devel] Authorized pages

Björn Lindberg d95-bli at nada.kth.se
Tue Aug 10 15:29:31 UTC 2004 

Edi Weitz <edi at agharta.de> writes:

> On 10 Aug 2004 16:49:24 +0200, d95-bli at nada.kth.se (Björn Lindberg) wrote:
> 
> > Am I correct now to believe that it is in reality Apache which takes
> > care of the authorization, so that once a user gave a proper
> > username and password, he will be authorized for the rest of his
> > session?
> 
> No. The HTTP protocol has no concept of a "session" at all - each
> request/reply pair is treated in isolation.
> 
> Basic authentication works like this:
> 
> 0. Client sends a request.
> 
> 1. The server somehow checks whether the client (the browser) has sent
>    the proper username and password. (These are encoded in a header
>    the client sends.)
> 
>    How this is checked can be implemented in different ways. You can
>    ask Apache to handle this but in the examples just given (macro,
>    dispatcher, and so on) Apache was not involved but rather TBNL did
>    the checking.
> 
> 2. If username and password are OK the server sends the requested
>    contents.
> 
> 3. If they're not OK the server sends back a 401 (Unauthorized) return
>    code. It will also usually send back a "WWW-Authenticate" header
>    which reveals a "Realm" to the client. This action /might/ result
>    in a box popping up in your browser asking you to enter the
>    credentials.
> 
> This process can be repeated as often as needed. Note that no
> knowledge of what happended in the past (no "session") is required for
> this.

I see. the reason I thought it was handled by HTTP was because, as you
imply, the window requesting username and password usually only pops
up once. If there nowhere in the chain was any caching of the two, or
'state', then the access window would pop up for each and every access
restricted page.

Now you've led me to believe that it is actually the client's browser
that is storing the authentification information and resending it upon
request from the server. Is this right? (Sorry for bothering you with
this elementia.)

> > So all that needs to be done is for each and every handler of access
> > restricted pages to call tbnl:authorization and check for valid
> > username and passwords?
> 
> Yes.

Well, that is comforting at least. :-)


Björn

More information about the Tbnl-devel mailing list