Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

mod_auth_digest and php: HTTP Error 400

  
   Web Hosting and Web Master Forums (Home) -> Apache RSS
Next:  errors on NT  
Author Message
shees

External


Since: May 31, 2004
Posts: 3



(Msg. 1) Posted: Mon May 31, 2004 6:12 pm
Post subject: mod_auth_digest and php: HTTP Error 400
Archived from groups: alt>apache>configuration (more info?)
I found following 2-year-old posting from someone who has the same
problem like me today:

"whenever i run PHP scripts which require the ? tags on the end of a URL
(i.e. index.php?page=x ) i get a 400 error saying it was a bad request.
This error only happens when under my password protected pages (digest
authentication). Is there anyway I can continue to use the digest auth.
and have those links still work (in that same format) i.e. change a few
settings or something?"

The only reply at that time was
"Digest authentification is experimental. I use basic authentification
and I have no problem."

I am running Apache 1.3.29 on a linux 2.4.26 environment and I would
like to use digest authentication. Has digest authentication got over
its experimental stage in the mean time (without having to move to
Apache 2.x)?

What do I have to do to get digest authentication running with PHP pages
in the protected folders?

Thank you for your help.

 >> Stay informed about: mod_auth_digest and php: HTTP Error 400 
Back to top
Login to vote
davideyeahsure

External


Since: Nov 03, 2003
Posts: 2907



(Msg. 2) Posted: Mon May 31, 2004 6:12 pm
Post subject: Re: mod_auth_digest and php: HTTP Error 400 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Sebastian Hees <shees.TakeThisOut@gmx.de> wrote:
 > "whenever i run PHP scripts which require the ? tags on the end of a URL
 > (i.e. index.php?page=x ) i get a 400 error saying it was a bad request.

Maybe you should try using POST and not GET method to call URLs?

 > I am running Apache 1.3.29 on a linux 2.4.26 environment and I would
 > like to use digest authentication.

Well... before posting this... DID YOU TRYED IT?

Davide

--
| If you think last Tuesday was a drag, wait till you see what happens
| tomorrow!
|
|<!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: mod_auth_digest and php: HTTP Error 400 
Back to top
Login to vote
shees

External


Since: May 31, 2004
Posts: 3



(Msg. 3) Posted: Mon May 31, 2004 6:31 pm
Post subject: Re: mod_auth_digest and php: HTTP Error 400 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Davide Bianchi schrieb:
 > Sebastian Hees <shees RemoveThis @gmx.de> wrote:
 >
  >>"whenever i run PHP scripts which require the ? tags on the end of a URL
  >>(i.e. index.php?page=x ) i get a 400 error saying it was a bad request.
 >
 >
 > Maybe you should try using POST and not GET method to call URLs?

I am using an established open source webshop called osCommerce
(www.oscommerce.com) and do not want to rewrite all the php code.

  >>I am running Apache 1.3.29 on a linux 2.4.26 environment and I would
  >>like to use digest authentication.
 >
 >
 > Well... before posting this... DID YOU TRYED IT?

Of course i have tried that. And it's not working. That's the reason why
I'm posting.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: mod_auth_digest and php: HTTP Error 400 
Back to top
Login to vote
davideyeahsure

External


Since: Nov 03, 2003
Posts: 2907



(Msg. 4) Posted: Mon May 31, 2004 6:38 pm
Post subject: Re: mod_auth_digest and php: HTTP Error 400 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Sebastian Hees <shees.RemoveThis@gmx.de> wrote:
 > Of course i have tried that. And it's not working. That's the reason why
 > I'm posting.

I see this on the apache's site:

Digest authentication provides a more secure password system than Basic
authentication, but only works with supporting browsers.
As of November 2002, the major browsers that support digest authentication
are Opera, MS Internet Explorer (fails when used with a query string),

Now, that "fails when used with a query string" sounds suspicious...
did you tried with more web browser or just with IE?

But anyway, if the module is still 'experimental', I don't see any
other way than not using it.

Davide

--
| The IQ of the group is the lowest IQ of a member of the group divided
| by the number of people in the group.
|
|<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: mod_auth_digest and php: HTTP Error 400 
Back to top
Login to vote
hans1

External


Since: Mar 29, 2004
Posts: 672



(Msg. 5) Posted: Mon May 31, 2004 11:19 pm
Post subject: Re: mod_auth_digest and php: HTTP Error 400 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"Sebastian Hees" <shees DeleteThis @gmx.de> schreef in bericht
news:c9fb2k$q5l$1@online.de...
 > I found following 2-year-old posting from someone who has the same
 > problem like me today:
 > "whenever i run PHP scripts which require the ? tags on the end of a URL
 > (i.e. index.php?page=x ) i get a 400 error saying it was a bad request.
 > This error only happens when under my password protected pages (digest
 > authentication). Is there anyway I can continue to use the digest auth.
 > and have those links still work (in that same format) i.e. change a few
 > settings or something?"
 > The only reply at that time was
 > "Digest authentification is experimental. I use basic authentification
 > and I have no problem."

<a style='text-decoration: underline;' href="http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html#using" target="_blank">http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html#using</a>
" Digest authentication provides a more secure password system than Basic
authentication, but only works with supporting browsers. As of November
2002, the major browsers that support digest authentication are Opera, MS
Internet Explorer (fails when used with a query string[1]), Amaya, Mozilla
and Netscape since version 7. Since digest authentication is not as widely
implemented as basic authentication, you should use it only in controlled
environments. "
[1] That's the name for what comes after the question mark ...

Did some googling on that ...
<a style='text-decoration: underline;' href="http://www.rassoc.com/gregr/weblog/archive.aspx?post=448" target="_blank">http://www.rassoc.com/gregr/weblog/archive.aspx?post=448</a>
" - When using Opera, the cnonce value is a base-64 encoded value which may
contain the '=' character. The original parsing code did not correctly
handle this situation.
- Mozilla uses the entire URI (including the query string) for the uri
field in the authorization header, whereas Internet Explorer does not. The
original parsing code would not correctly handle the '=' characters in the
header. "

<a style='text-decoration: underline;' href="http://www.apacheweek.com/issues/02-12-20" target="_blank">http://www.apacheweek.com/issues/02-12-20</a>
" An article published by eWeek earlier this year covered an incompatibility
between the implementations of the digest authentication specification (RFC
2617) in Microsoft Internet Explorer and Apache, although no specific
details were revealed in the article. More light was shed on the issue this
week as it was discovered that when requests sent by Internet Explorer to a
location protected by mod_auth_digest where the URL includes a query string
(such as /cgi-bin/script.pl?id=foobar), authorisation will always fail. This
appears to be because Internet Explorer sends an incorrect WWW-Authorization
header for such URLs; no workaround is known, though several techniques were
suggested to avoid using query strings in protected locations; using POST
for forms, or using PATH_INFO to avoid explicit query strings. "

<a style='text-decoration: underline;' href="http://www.apacheweek.com/issues/03-06-20" target="_blank">http://www.apacheweek.com/issues/03-06-20</a>
" A patch was submitted last week which may be of interest to server
administrators looking to deploy Digest-based authentication. As covered
last year, there is a bug in the Digest authentication code in Microsoft
Internet Explorer, causing requests which use a query string to fail if
under Digest protection. Paul Querna, developer of the mod_authn_dbi module,
has developed a BrowserMatch-based workaround for this issue; relaxing the
check to allow MSIE to authenticate correctly without compromising security
for other browsers. "

<a style='text-decoration: underline;' href="http://www.apache-httpd.com/msg/4858.html" target="_blank">http://www.apache-httpd.com/msg/4858.html</a>
"... There is a workaround that lets you ignore this if the
AuthDigestEnableQueryStringHack environment variable is defined (for example
using BrowserMatch). But I believe it is only in the development branch
(2.1) and not in the released branch. The patch is here:
<a style='text-decoration: underline;' href="http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/aaa/mod_auth_digest.c?r1=1.86&r2=1.87" target="_blank">http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/aaa/mod_auth_diges...?r1=1.8</a> "

For those brave and daring, just c&p this patch to your current
source -either 1.3x or 2.0.4x- and recompile, fingers crossed!

HansH<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: mod_auth_digest and php: HTTP Error 400 
Back to top
Login to vote
shees

External


Since: May 31, 2004
Posts: 3



(Msg. 6) Posted: Mon May 31, 2004 11:34 pm
Post subject: Re: mod_auth_digest and php: HTTP Error 400 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Davide Bianchi schrieb:
 > Digest authentication provides a more secure password system than Basic
 > authentication, but only works with supporting browsers.
 > As of November 2002, the major browsers that support digest authentication
 > are Opera, MS Internet Explorer (fails when used with a query string),

Thank you. This was the information I was missing.

With Mozilla browser, it works fine => time to switch browsers (OE has
already been replaced by Thunderbird since quite a while).<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: mod_auth_digest and php: HTTP Error 400 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
How not to log "GET / HTTP/1.1" - I'm getting about 3 of these requests per minute now. It's filling my logfile up quickly. What can I put in my http.conf to prevent these requests from being logged? Also, I don't really like the fact that it's sending my index.htm file to these..

Pb with HTTP/1.0 - Hi, I've a problem with an old apache 1.3.7 : the same request to a CGI comes in 0.006 seconds in HTTP/1.1 and in more than 8 seconds in HTTP/1.0 Is there someone to help me ? Thanks

HTTP Headers in the CGI - I have Apache/1.3.26 server running on my Linux box (Linux from SuSe). I have a CGI program which uses a simple HTML page to send and recieve some data. Is there a way I can configure the Apache so that it will ALSO send me the HTTP Headers alongwith..

HTTP proxy - Hi, I am using an HTTP proxy (forward) based on Apache2 / Solaris. The proxy is doing some simple changes in the HTTP headers, thanks to mod_ext_filter and a sed substitution. I would like to go further (in term of performance). I am thinking about..

HTTP & HTTPS - Hi , I am new to apache and would like know this.. 1.I want to run all except one file of my site in HTTP and the remaining one- authentication- file in HTTPS. 2.This has two solutions as outlined in http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html ....
   Web Hosting and Web Master Forums (Home) -> Apache All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]