Apache asking for password multiple times

Apache asking for password multiple times

Post by e.. » Wed, 09 Jul 2003 05:02:55



When I use Front Page Extensions (FPE) to create a protected folder I am
often prompted for the password many times before access is granted.
My hosting service has the following installed:
        Linix:RedHat 7.3
        Apache: 1.3.27
        Front Page Extensions: 5
        mod-dav (Allows read/write access to files)
           (All security handled by Apache, not mod_dav)

I have uploded an Excel spreadsheet (.xls) file to a folder in my web site.
The .xls file is not password protected by Excel.  Using FPE, I set the
folder to:
        Use unique permissions
        Only registered users can browse
        One username/password (just called "pw" below) with browse only
        Another pw with browse & author permissions.

When I use Excel to open the file (File/Open http://MyDomain/path/jnk.xls)
I am prompted for the pw.  If I enter the pw with author permission, the
spreadsheet immediately opens with read/write access as it should.
However, if I enter the browse only pw I am asked tor the pw many times,
and then finally read-only access is granted as it should be.

The question is why I am prompted for the pw so many times and what can I
do  so I am only prompted once?

I have tried all sorts of changes to .htaccess in the folder where the .xls
file is.  Some changes caused it not to work at all, but all the working
ones I tried failed in the same way.

In case they are helpful, here are 5 different scenarios which may help to
understand just what is happening:

Scenario 1 - Enter pw at every prompt:
1.pw request for Resource http://MyDomain/t/jnk.xls, I enter correct pw
(do above a total of three times.  Note: the AuthName in the folder's
.htaccess is simply  "t")

2."File transferring" message briefly displayed

3. pw request for Resource http://MyDomain/t/jnk.xls, I enter correct pw
(do above a total of three times)

4. Read only copy of spread sheet opens & is ready to use.

Scenario 2 - Enter pw at 1st promot only:
1. pw request for Resource http://MyDomain/t/jnk.xls, I enter correct pw
(One time only)

2. pw request for Resource http://MyDomain/t/jnk.xls, I click on "Cancel)
(One time only)

3. "File transferring" message briefly displayed

4. pw request for Resource http://MyDomain/t/jnk.xls, I click on "Cancel)
(One time only)

5. Read only copy of spread sheet opens & is ready to use.
(Note I was only challenged for the pw 3 times instead of 6 as in scenario
1)

Why all the additional prompts when it didn't "care" if I gave it or not?

Scenario 3 - Enter P/W on last prompt only:
1. pw request for Resource http://MyDomain/t/jnk.xls, I click on "Cancel"
(One time only)

2.  "File transferring" message briefly displayed Strange?!!?

3. pw request for Resource http://MyDomain/t/jnk.xls, I click on "Cancel"

4. pw request for Resource t, I enter correct pw
(t is the AuthName in .htaccess)

5. Read only copy of spread sheet opens & is ready to use.
(Note I was only challenged for the pw 3 times instead of 6 as in scenario
1)

Scenario 4 - Never enter pw:
1-3.  Same as scenario 3

4. pw request for Resource t, I click on "Cancel"
(t is the AuthName in .htaccess)

5. Message box: "Microsoft Excel cannot access the file ..."

 
 
 

1. Apache - how to ask for username/password a second time?

So a user has asked for an authentication-protected part of the server. It
pops up the box and asks for username and password. They happily type it in
and go about their business.

They finish and walk away, leaving the browser still open.

An hour passes. Another user sits down at the keyboard - the browser is
still there, still inside the protected part of the server. The web server
can tell this particular "user" has done nothing for an hour. How, then, do
you force it to ask the user for another username and password? I assume it
would have to be some kind of server-side trick, rather than "counting on"
some obscure feature of the browser - a password "expire" or something.

I tried sending back 401 by hand, but that, er... didn't quite work. (And a
numbskulled trick like that doesn't deserve to work anyway...)

It might work to change the password file itself to invalidate the user's
current password just long enough for the server to complain, and then
change it back - but short of recompiling Apache, how on earth do you pull a
stunt like _that_? A CGI program wouldn't work too well - you want to block
access BEFORE it hits any CGIs, and then how do you change the password back
under CGI control - by the time the browser receives the 401, the CGI is
already terminated, right?

Of course, part of the idea is for the second user to log in as a
_different_ username/password...

--

| http://www.iupui.edu/~jrshepar (mine)       http://www.cpbx.net (CPBX) |
|   Amiga owner, Babylon 5 watcher, Sarah McLachlan fan: God help me!    |
| "Sleeping on empty dreams" -Sarah M. "You have always been here" -Kosh |

2. install end at media network

3. Tools to change password without ask new password twice time.

4. Changing the boot device

5. Autheticating Users,asking password 2 times.

6. Search engines for multiple servers?

7. controlling number of times getty or login asks for userid/password

8. locate - Segmentation fault

9. Re-ask for password every time

10. Apache asks twice for a password

11. Apache authentication failing before asking for password

12. apache htaccess: check IP#, then ask password?

13. Apache: How do I ask user for a password ?