Date: Tue, 14 May 2002 22:34:07 +0100 From: Mike Wyer >Why not persuade all people who restrict access to pages on >www.doc.ic.ac.uk to use the same AuthName? >The one given on the CSG web pages is "DoC Only", but lots of pages use >something different. If we all use the same then I believe that we don't >have to keep on typing in our password for each different page. That is not correct - the authentication tokens are only kept for all files under the same directory hierachy. It just so happens that, as most protected directories use different AuthNames, any two areas sharing the same AuthName are usually under the same directory, so the authentication is preserved. A few examples: Say there are top-level directories /web/files, /web/other, and /web/misc : /web/files/.htaccess : AuthName Web, AuthType KerberosV5 /web/other/.htaccess : AuthName Other /web/misc/.htaccess : AuthName Web, AuthType Basic Accessing the following pages (in this order) will give: /web/files/a/myfile.html -> Authorization Required (AuthName Web) -> A /web/files/b/otherfile.html -> [Uses cached connection A] /web/other/file.html -> Authorization Require (AuthName Other) -> B /web/other/file2.html -> [Uses cached connection B] /web/misc/file.html -> Authorization Required (AuthName Web) -> C /web/misc/file2.html -> [Uses cached connection C] /web/files/a/file3.html -> [Uses cached connection A] /web/files/a/file4.html -> [Uses cached connection A] /web/misc/a/file3.html -> [Uses cached connection C] Cached connections A and B will use Kerberos passwords, but connection C will use the htpasswd file in /web/misc. It would be incorrect to give a user access to /web/files if they had only authenticated against the text file in /web/misc. The AuthName is just a label for the password box, nothing more. I believe the new DoC homepage project (see frk) uses some cunning techniques to enable a single sign-on (mainly by protecting all the pages under a single secure directory). The only other alternative is to keep all secure content separate from public content, and protect the whole lot with an appropriate .htaccess at the root of the tree, but this is hardly practical.