AOL + REMOTE_USER

AOL + REMOTE_USER

Post by John Richardso » Sat, 19 Jul 1997 04:00:00



I have protected pages and cgi's under Apache 1.2 which uses CGI
Environment variables to determine who is accessing each page.
However, REMOTE_USER is left null when people access it from
AOL.  Is this a config problem or a problem w/AOL?  Is there
something I can do to get it working?

I am desperate.  Please help!

Thanks in advance,
John Richardson

 
 
 

AOL + REMOTE_USER

Post by Kriston J. Rehbe » Wed, 30 Jul 1997 04:00:00



>I have protected pages and cgi's under Apache 1.2 which uses CGI
>Environment variables to determine who is accessing each page.
>However, REMOTE_USER is left null when people access it from
>AOL.  Is this a config problem or a problem w/AOL?  Is there
>something I can do to get it working?

No, and no.  You have to work out some other kind of mechanism to identify and
validate a remote user.  Using REMOTE_USER to "protect" pages and CGI's could
be considered an oxymoron.

Enjoy,

Kris

---
Kriston J. Rehberg

http://www.nyx.net/~krehberg/

 
 
 

AOL + REMOTE_USER

Post by Kevin P. Ne » Thu, 31 Jul 1997 04:00:00




>>I have protected pages and cgi's under Apache 1.2 which uses CGI
>>Environment variables to determine who is accessing each page.
>>However, REMOTE_USER is left null when people access it from
>>AOL.  Is this a config problem or a problem w/AOL?  Is there
>>something I can do to get it working?
>No, and no.  You have to work out some other kind of mechanism to identify and
>validate a remote user.  Using REMOTE_USER to "protect" pages and CGI's could
>be considered an oxymoron.

Why should this be considered an oxymoron? It works fine at my site.
--
XCOMM Kevin P. Neal, Junior, Comp. Sci.     -   House of Retrocomputing


XCOMM "Good grief, I've just noticed I've typed in a rant. Sorry chaps!"
 
 
 

AOL + REMOTE_USER

Post by Kriston J. Rehbe » Wed, 06 Aug 1997 04:00:00





>>>I have protected pages and cgi's under Apache 1.2 which uses CGI
>>>Environment variables to determine who is accessing each page.
>>>However, REMOTE_USER is left null when people access it from
>>>AOL.  Is this a config problem or a problem w/AOL?  Is there
>>>something I can do to get it working?

>>No, and no.  You have to work out some other kind of mechanism to identify and
>>validate a remote user.  Using REMOTE_USER to "protect" pages and CGI's could
>>be considered an oxymoron.

>Why should this be considered an oxymoron? It works fine at my site.

You're right.  But how would that environment variable be affected by a proxy?
It seems to work for me.  One thing that AOL seems to do (at least the Windows
3.x version) is to display the "forbidden" page in the browser window while
the password prompt is on the screen.  Once the user/password is enterred
correctly, the web browser still does eventually go to the right page.

Kris

---
Kriston J. Rehberg

http://www.nyx.net/~krehberg/

 
 
 

AOL + REMOTE_USER

Post by Kevin P. Ne » Thu, 07 Aug 1997 04:00:00






>>>>I have protected pages and cgi's under Apache 1.2 which uses CGI
>>>>Environment variables to determine who is accessing each page.
>>>>However, REMOTE_USER is left null when people access it from
>>>>AOL.  Is this a config problem or a problem w/AOL?  Is there
>>>>something I can do to get it working?

>>>No, and no.  You have to work out some other kind of mechanism to identify and
>>>validate a remote user.  Using REMOTE_USER to "protect" pages and CGI's could
>>>be considered an oxymoron.

>>Why should this be considered an oxymoron? It works fine at my site.
>You're right.  But how would that environment variable be affected by a proxy?
>It seems to work for me.  One thing that AOL seems to do (at least the Windows
>3.x version) is to display the "forbidden" page in the browser window while
>the password prompt is on the screen.  Once the user/password is enterred
>correctly, the web browser still does eventually go to the right page.

If REMOTE_USER is affected by a proxy then that proxy is *broken*.

The REMOTE_USER environmental variable is set by the web server
*after* it has validated the credentials.

Also, if you retrieve a page that requires authorization but you don't
send the authorization info (name+password), then Apache at least will
send back a "401" with a page that describes the error to you.

This normally causes the browser to put up a password prompt. It
sounds like AOL is displaying the page sent by the server and *also*
putting up the password prompt. I don't see a problem with this.
--
XCOMM Kevin P. Neal, Junior, Comp. Sci.     -   House of Retrocomputing


XCOMM "Good grief, I've just noticed I've typed in a rant. Sorry chaps!"