[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success


Thanks Eric-

This was from an incognito window just to try and avoid that...it's interesting, I think what's going on is that the authorization is working in /var/www/html but isn't doing anything in /usr/lib/cgi-bin....when I disabled the authentication for /var/www/html, now I don't get any authorization dialog when accessing /cgi-bin

-J

On Wed, Aug 15, 2018 at 2:34 AM, Eric Covener <covener@xxxxxxxxx> wrote:
> Here's from the access.log:
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
>

Looks like two page loads 30 seconds apart, but I notice there is no
request for the CGI itself for the first one but requests for the page
elements.
Are you sure there's no browser caching in the way here?  And perhaps
the basic auth credentials are cached for the /cgi-bin/ path but the
browser doesn't send them automatically for the static elements that
don't share a context root?

A private/incognito window, or temporarily logging %{Authorization}i
might clear some things up.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
/*
Jason Pitt PhD                                   206.616.1193
Kaeberlein Lab                                   jnpitt@xxxxxx
University of Washington
Department of Pathology
Health Sciences Building                    Box 357470
1989 NE Pacific Street
Seattle, WA 98195
*/