how .htaccess authentication works with my website via LDAP. How the cookies and sessions are set? -

-

i using .htaccess authentication website. once authentication happen ad vi ldap, how authenticated user's session , cookies got created in browser , redirection happening website. please in or please share links explains process.

take @ wiki pages basic authentication , digest authentication, both authentication mechanism on protocol (http). basically, browser sees (heavily paraphrasing here):

  1. attempt request uri, webserver replies 401 response , www-authenticate header
  2. this header contains realm, kind of group of pages belong same authentication realm
  3. browser pops modal dialog box asking username , password.
  4. depending on basic or digest, password sent webserver along original request resulted in 401.
  5. if credentials incorrect, 403 returned , browser shows appropriate error message. otherwise, webserver returns requested page.
  6. the browser knows url belongs realm, every time url requested, authorization automatically sent along request.
  7. if browser requests else requires authentication, , belongs same realm, browser automatically send authorization when webserver returns 401 , realm.

how webserver configured realm info , list of credentials varies. hooked ldap database, active directory, flat file hashed passwords, etc.

this different cookies or other webapp-level authentication because doesn't use http protocol authenticate. webapp has page forms username , password, sent via post/get request parameters, , it's webapp determine if credentials valid. if valid, webapp choose store session id cookie browser can continue browse pages served webapp.

one of end-user differences between , http authentication webapp can delete cookie, or invalidate session, logging user out of webapp. isn't possible http authentication because browser blindly submits authorization header when requesting pages under same realm. 1 way around make webserver forcefully return 403 when protected page requested.

another difference http authentication, can include username/password part of url. how http://user:pass@host.com authentication work?

also see: http://blog.distributedmatter.net/post/2008/06/09/http-authentication-mechanisms-and-how-they-could-work-in-restlet more complete description of authentication in general.


Comments

Post a Comment

Popular posts from this blog

c# - SVN Error : "svnadmin: E205000: Too many arguments" -

-
i trying reposotries using c# code process svncommand = null; var psi = new processstartinfo("svnadmin"); psi.redirectstandardoutput = true; psi.redirectstandarderror = true; psi.useshellexecute = false; psi.arguments= @"dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump"; using (svncommand = process.start(psi)) { var myoutput = svncommand.standardoutput; var myerror = svncommand.standarderror; debug.write("output :" + environment.newline + environment.newline + myoutput.readtoend() + environment.newline + "error :" + environment.newline + environment.newline + myerror.readtoend()); svncommand.close(); } when use dump command commandline svnadmin dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump it works fine when try ...
Read more

c++ - Using OpenSSL in a multi-threaded application -

-
i have been writing soap client application in c++ on ubuntu using openssl https transport , pthreads threading. have number of threads - 1 central data acquisition thread periodically gets worker threads make soap requests via shared mutex protected queues. reading documentation openssl found is openssl thread-safe? in openssl faq describes mechanisms required ensure thread safety when using openssl. implemented , works fine. the reason question conceptual difficulty really. thinking implementing same functionality application has already, instead of using threads, create 2 seperate applications : 1 worker thread (of multiple copies running) , main data acquisition thread. use tcp sockets communicate between 2 rather mutex protected queues. may bad idea not important - confusing me would have implement same functions required ensure openssl thread safety in second approach or not? my guess not have , treated independent (indeed surely must many applications use openssl) re...
Read more

All overlapping substrings matching a java regex -

-
is there api method returns (possibly overlapping) substrings match regular expression? for example, have text string: string t = 04/31 412-555-1235; , , have pattern: pattern p = new pattern("\\d\\d+"); matches strings of 2 or more characters. the matches are: 04, 31, 412, 555, 1235. how overlapping matches? i want code return: 04, 31, 41, 412, 12, 55, 555, 55, 12, 123, 1235, 23, 235, 35. theoretically should possible -- there obvious o(n^2) algorithm enumerates , checks substrings against pattern. edit rather enumerating substrings, safer use region(int start, int end) method in matcher . checking pattern against separate, extracted substring might change result of match (e.g. if there non-capturing group or word boundary check @ start/end of pattern). edit 2 actually, it's unclear whether region() expect zero-width matches. specification vague, , experiments yield disappointing results. for example: string line = "xx90xx"; strin...
Read more