views:

296

answers:

2

I've set my ErrorDocument 401 to point to my website's account creation page, but not all browsers seem to honor this redirect (Safari).

Also, other browsers (Firefox, Chrome) never quit asking for the password and show the ErrorDocument. This causes a good number of users to give up trying after many password attempts without seeing the account creation page.

Is there any way to make the redirect more reliable, without trashing basic authentication altogether?

A: 

I suspect that your firefox and safari users are not entering the domain before the username i.e. MYDOMAIN\USERNAME. There are some settings in firefox that will allow pass-through authentication; I don't know about safari.

Josh Pearce
This question is about making the redirect after a login *failure* work reliably, so I don't see how what they enter makes a difference.
bukzor
+3  A: 

The simple answer to your question is no, you can't make this more reliable without implementing custom authentication.

The only way that Firefox and Chrome will display page that you specified in the ErrorDocument 401 directive is if you click cancel button. Also, there is no redirect sent with the 401 HTTP code; rather, it is a content of the document specified with ErrorDocument 401 directive. You can do redirect using HTML meta tag:

<Location "/protected">
    AuthUserFile /path/to/users
    AuthName "This is protected area"
    AuthGroupFile /dev/null
    AuthType Basic
    Require valid-user

    #ErrorDocument 401 /register.html
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/register.html\"></html>"
</Location>

Possible solutions to your problem are to create custom basic HTTP authentication module or to use language like php that supports basic HTTP authentication hooks

http://php.net/manual/en/features.http-auth.php

Boris
Apache basic authentication is so well-established that I hoped someone had already created and released such a custom module.
bukzor
You can check http://modules.apache.org/. Take a look at the mod_auth_timeout. It may have something similar.
Boris