[Mailman-Developers] cookies

Thomas Wouters thomas@xs4all.net
Wed, 10 May 2000 10:53:13 +0200

On Wed, May 10, 2000 at 01:08:22AM +0200, Ricardo Kustner wrote:

> > What is Basic-Authorization?  If it doesn't involve a HTTP POST of the
> > admin login page, I believe it will not work (out of the box, anyway).

> Basic-auth is a cgi process sending an 401 auth required http header
> and thus asking the browser to prompt for a username and password...
> I'm not 100% sure if it's possible with a cgi script though (I know it's
> possible in PHP but I've never tried it in cgi...)

Basic auth is possible in CGI; you just have to make sure your webserver
allows you to send HTTP response codes. If I recall correctly, you can do
this in Apache by naming your script 'nph-<script>', but given the fast
development cycle of Apache and other webservers, there might be a better,
more portable way. After the server sends a 401, the browser resends the
request with an aditional header, 'Authorization', with the value 'Basic
<secret>', where <secret> is 'username:password' base64-encoded.

I'm not sure if basic auth would suite Mailmans' needs. There might be some
issues regarding length of username, and wether it can contain an @, for
instance. (IE, and perhaps Netscape too, nowadays, allow you to specify
username and password in the URL: http://user:password@server/. This would
probably barf when faced with @s in usernames or passwords. I also dont know
if this is in the RFC.) Also, basic auth behaves differently from Cookies:
they are hostname+path-based instead of just hostname-based, and they expire
when the browser closes or another '401 auth required' occurs. You can try
to force an expire by sending back a 401 auth required as 'logout', but this
tends to confuse a lot of people, because they usually get another popup
window asking for a username/password ;P

Basic auth works with all HTTP requests, though, and I believe has more
support than cookies. (httplib has auth support, I use it frequently. Does
it have cookie support ? :)

Thomas Wouters <thomas@xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!