(keitai-l) Re: Apache authentication on handsets

From: Curt Sampson <cjs_at_cynic.net>
Date: 12/12/01
Message-ID: <Pine.LNX.4.33.0112121906220.20697-100000@denkigama.nat.shibuya.blink.co.jp>
On Wed, 12 Dec 2001, Nick May wrote:

> keitai-l@appelsiini.net writes:
> >If you try to access a restricted area on an Apache web server with an
> >iMode
> >phone you conveniently get the standard 401 authentication prompt for a
> >username and password.  Cool.
>
> This is NOT always reliable - on the handset I standardly test on I have
> to retype the password/userid at regular intervals. It may be more
> reliable on other phones - or it may be ip address related (of the proxy,
> on subsequent requests), I am not sure.

It's not IP address related. With HTTP Authentication the client sends the
server an "Authorization:" header line in every HTTP request. It seems
likely to me that it's the phone doing this, not the gateway, since
having the gateway do it would involve keeping state in the gateway,
which makes life more difficult.

You might check the URL when you have to re-enter the name and password.
According to RFC 2617:

    A client SHOULD assume that all paths at or deeper than the depth
    of the last symbolic element in the path field of the Request-URI
    also are within the protection space....

So if you go from /foo/bar/one to /foo/bar/two, you should not have to
re-authenticate. But going from /foo/bar/one to /foo/bam/one you would
have to re-authenticate.

> I have also noticed more dns timeouts when I am accessing a restricted
> area.

This seems very odd. I can't see how it would be related.

cjs
-- 
Curt Sampson  <cjs_at_cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC
Received on Wed Dec 12 12:20:36 2001