Hello Andreas, > not at all. Everything under /test will get the info. The browser does > that and makes complete sense. NAK. Why should the user/password-informations I typed in for auth url https://www.myserver.com/server-info be passed to a subsequent call of https://www.myserver.com/tests/php-info.html, which is'nt in any acl-set and could be accessed a first time without these informations? The server should only request auth-infos for /server-info and nothing else - should'nt request or pass auth-infos to a non-auth area like /tests/ here. My ACL's for your understanding: - whole server SSLRequireSSL none of auth-stuff - <Location /server-info> only AuthName "LDAP Directory" AuthType Basic AuthLDAPURL ... So, why should netscape/server request auth-informations for /tests/ and pass them to php4-skript php-info.html on the second of mine requests? That's stupid and a possible security whole (because plaintext-password is passed to lower layers like php4) IMHO. Oh' - just when I typed these message a hint from Aidan comes in referencing http://www.php.net/bugs.php?id=8827 and http://www.php.net/bugs.php?id=7774. Yes, that's one of the problems, thnx Aidan. On the other hand (passing PHP_AUTH_USER and PHP_AUTH_PW to php4 when external authentication already occured), the problem of passing these informations on the second request (of a non-auth-area!) is mysterious too. Okay, let's wait for a bugfixed (?) version of php4. Yesterday I've already patched my php4, so that always the PHP_AUTH_PW is set to NULL &-). Greetz, -- Micha -- 42rd Law of Computing: Anything that can go wro pine: Segmentation violation: Core dumped ^J&6§4^+^)NO CARRIER -- PHP Install Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
