How to achieve single htpasswd login with Apache when using both
SSL and non-SSL web pages in a site?
Dan Coutu
coutu at snowy-owl.com
Tue Jul 11 15:55:02 EDT 2006
Bob Bell wrote:
> On Tue, Jul 11, 2006 at 12:06:02PM -0400, Dan Coutu wrote:
>> When entering the site Apache properly does it's login thing and
>> authenticates the user. The entry point is normally a non-SSL web
>> page. When the user goes to a page that uses SSL they are prompted a
>> second time, by Apache, to login!
>
> Are you sure it's Apache asking them to log in? HTTP Basic
> Authentication (what I believe you're using) actually happens with
> *every* page request. The username and a (weakly) hashed password is
> sent every time you GET a page. Perhaps it's the web browser that's
> keeping the credentials separate for HTTP and HTTPS?
>
Duh, you're right of course, it is the web browser that would be
controlling things. Typically a web browser will not prompt for basic
authentication credentials of the 'realm' sent by the web server is
identical to a previously authenticated access to the same realm.
Apparently the shift to/from SSL is considered by browsers to be a
different realm.
Guess I'm stuck then. I know of no way to convince a web browser to
change this particular behavior.
Thanks Bob,
Dan
More information about the gnhlug-discuss
mailing list