s/key authentication for Apache on FreeBSD?

Matthew D. Fuller fullermd at over-yonder.net
Sat Dec 13 21:45:25 PST 2003


On Sat, Dec 13, 2003 at 07:35:43PM -0700 I heard the voice of
Brett Glass, and lo! it spake thus:
> At 03:15 AM 12/11/2003, bruce at nikkel.com wrote:
>   
> >If the basic auth string was not included in an http request, the
> >webserver would generate a error 401 (Unauthorized). Check out RFC 2617
> >(HTTP Authentication: Basic and Digest Access Authentication).
> 
> True. But does it authenticate again? Or merely recognize that you're
> the same person you were before and let you through?

HTTP AUTH sends the user/pass strings with every request (more precisely,
the browser caches what you put in, and sends it every time the server
returns a 401 with the same realm name.)


-- 
Matthew Fuller     (MF4839)   |  fullermd at over-yonder.net
Systems/Network Administrator |  http://www.over-yonder.net/~fullermd/

"The only reason I'm burning my candle at both ends, is because I
      haven't figured out how to light the middle yet"


More information about the freebsd-security mailing list