401 error being generated even when authenticated

Informator

Hey guys,

Not sure if this a PHP problem but anyway...

I have an error script which is called by the server whenever an error occurs. For example, a 404 actually shows error.php?error=404 which then shows a nice message and email me all the details. One problem I've found though is that it sends me the details for a 401 error, even when the error page isn't displayed. So whenever anyone goes to my secure area, enters in their username and password and logs in successfully, I get an email telling me a 401 has occurred. I used the error script from HotScripts, which can be found at

http://www.sabrewebdesign.com/support/scripts/errorpages.php

Thanks!

bretticus

just pull out ErrorDocument 401 /errorpage.php
from your .htaccess page and let Apache handle that error.

bretticus

whoops...in other words, your server will return a 401 just by password protecting your page. Take my advice or modify the PHP to not send you an email on a 401.

Informator

That is a solution certainly, one that I'll do. But surely there must be some way to configure it properly to only return a 401 if there is actually an authentication error? Or is my server misconfigured?

mrhappiness

I bet there is some authentication missing somewhere.

Please post the server log

bretticus

there must be some way to configure it properly to only return a 401 if there is actually an authentication error

Probably, but each time that authentication box even pops up it is the result of a 401. In fact, it seems to me that how many chances you get is entirely up to the browser. In other words, you keep getting 401 status until you provide appropriate credentials or you browser decides to show the actual page content. If you guys figure this one out, I'll be very interested.

gfoot

I think you're just stuck with it. The browser doesn't know it should ask for (or provide) credentials until the server responds to its initial query with a 401, specifying the realm that requires authentication. Then the browser asks the user for credentials for that realm, and resends the request to the server with the credentials attached.

So in short, it's quite normal to get a lot of 401 errors if you've password-protected areas of your site. You could modify your error handler to detect whether people actually entered the wrong credentials (rather than no credentials), if you want to log actual failed logins.

HTTP authentication (basic or digest) is a bit of a hack really.

mrhappiness

Originally posted by Informator
to only return a 401 if there is actually an authentication error

if username/password is required but you don't sepcify one it is in fact an authorization error

bretticus

if username/password is required but you don't sepcify one it is in fact an authorization error

Not on my webserver, it's a 401 all the way through. I still get one to tell my browser to throw up a login prompt even when I put in crendentials afterwards. It will still trigger the error scripts email alert because 401 is the error status his script is checking for. On my server there is no other status when a password is entered in bad or a canceled prompt. Please share your experience if you see different results.

mrhappiness

what does the apache log tell you?

look for lines with a 401 error and post them please

bretticus

I'm very capable of "looking for lines with 401". I am a network administrator for a significant company on the Web afterall. The 401's I mentioned came straight from my apache logs, by the way. If you desire proof, I will post my log, but not now, I'm late for work (should not have checked my email ;-) Why don't you setup a little experiment in the meantime and see for yourself.

bretticus

what does the apache log tell you?

look for lines with a 401 error and post them please

Just dawned on me (now that I'm awake) that you were talking to Informator and not me.

I would be interested to know if Informator sees something different in his (or her) apache logs as well.