On Thu, 2005-11-10 at 17:19 +0000, Martin Moss wrote:
> So an Authen Handler can return a REDIRECT?
> 
> I use a 403 custom repsonse which is a self submitting
> page (with non javascript handling)... By doing so it
> prevent's any of the authentication pages appearing in
> IE's back button on the browser...

I didn't answer your previous mail because I don't usually use the Auth
stuff and don't know much about it.  This all sounds really fishy
though.  403 is an HTTP response you send someone when you won't let
them in.  302 is a redirect.  And remember that the constants for
handler returns values like Apache::OK are NOT the same as HTTP codes.
They are internal codes for use by apache.

Also, if by self-submitting page you mean a META-REFRESH (aka client
pull), keep in mind that browsers are free to ignore this, so it's fine
as a convenience but not effective as a security measure.

- Perrin

Reply via email to