>nope... if I understand correctly here is the scenario. He has a page
>secured with ssl. The page also has .htaccess file associated with it.
>Now it looks like netscape pops up the username/password box BEFORE ssl
>starts thus the username/password are passwd on in the clear. I may be
>wrong but I think this is the problem the person is having. I don't have
>an answer except to maybe have one page using ssl meta to another page
>using ssl where the .htaccess would apply.
Do you have any idea how user authentication works in HTTP? If you did,
you would understand why the above is not possible.
The browser starts by connecting to the web server. If the URL is http: it
uses ordinary, unencrypted HTTP. If the URL is https:, it uses HTTP over
SSL, which encrypts everything in the session; the session key is
negotiated automatically when the connection is established.
The browser then sends a "GET <pathname>" command to the server. If it's
an HTTP connection, it's sent in the clear; if it's an SSL connection, it's
If the page requires user authentication, the server responds with an error
code indicating this. The browser pops up a username/password prompt, gets
the info from the user, and then resends the GET command, this time
following it with an Authentication header containing the authentication
information. As above, if the session is over an SSL connection, this will
As you can see, encryption and basic authentication are completely
independent. Encryption occurs whenever you access an https: URL, and
authentication occurs whenever the server demands it due to the attributes
of the page (e.g. the existence of a .htaccess file).
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.