Download & Extend
Secure Site » Issues

Accept HTTP Authentication without forcing it

Posted by salvis on December 30, 2009 at 4:03pm
Project:Secure Site
Version:6.x-2.4
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

I've set Force authentication to Never, because I don't want any of my users to ever see the password dialog.

However, I'd like to be able to log in using the http://userid:password@example.com/path syntax. This works if I force authentication, but it has no effect otherwise.

I understand this used to be the purpose of the HTTP Authentication module, which was merged into Secure Site, so I'm marking this as a bug rather than a feature request.

Am I missing something?

Login or register to post comments

Comments

#1

Posted by salvis on December 31, 2009 at 12:28am

I'm seeing some weird behavior: I'm trying to use WinHTTrack to capture a static copy of my site. The site has a public part and some forums that are protected by node access.

WinHTTrack supports logging in using the http://userid:password@example.com/path syntax and it does capture the public part of the site as user userid! However, it receives 403 errors as soon as it tries to follow a link to a protected forum.

Apparently, WinHTTrack creates a new userid session for every request, because the Who's Online block shows a couple hundred of them after WinHTTrack has run, and the captured pages show the logged in state. (I haven't been able to create a userid session by typing http://userid:password@example.com/ syntax into Firefox myself though.) However, WinHTTrack fails to establish a userid session for protected paths!

I'm really puzzled why it works on the public paths but not on the protected ones.

BTW, I do have my own 403 page and would like to keep it.

Is there a way to programmatically test whether the user is supplying userid:password?

#2

Posted by ekes on November 19, 2010 at 12:10pm

"haven't been able to create a userid session by typing http://userid:password@example.com/ syntax into Firefox myself though." It seems that Firefox doesn't try http auth unless it's required. I can login with userid:password with Opera, but not Firefox (or Thunderbird) if it's not forced for example.

nobody click here