On Thu, 2005-11-10 at 17:19 +0000, Martin Moss wrote: > So an Authen Handler can return a REDIRECT? > > I use a 403 custom repsonse which is a self submitting > page (with non javascript handling)... By doing so it > prevent's any of the authentication pages appearing in > IE's back button on the browser...
I didn't answer your previous mail because I don't usually use the Auth stuff and don't know much about it. This all sounds really fishy though. 403 is an HTTP response you send someone when you won't let them in. 302 is a redirect. And remember that the constants for handler returns values like Apache::OK are NOT the same as HTTP codes. They are internal codes for use by apache. Also, if by self-submitting page you mean a META-REFRESH (aka client pull), keep in mind that browsers are free to ignore this, so it's fine as a convenience but not effective as a security measure. - Perrin