From nobody@hyperreal.com Thu Jun 26 14:38:25 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.5/8.8.5) id OAA28954; Thu, 26 Jun 1997 14:38:25 -0700 (PDT) Message-Id: <199706262138.OAA28954@hyperreal.com> Date: Thu, 26 Jun 1997 14:38:25 -0700 (PDT) From: Nathan Neulinger Reply-To: nneul@umr.edu To: apbugs@hyperreal.com Subject: Authentication performed multiple times when searching for directory index X-Send-Pr-Version: 3.2 >Number: 794 >Category: mod_dir >Synopsis: Authentication performed multiple times when searching for directory index >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Jun 26 14:40:00 1997 >Last-Modified: Thu Sep 25 00:25:00 PDT 1997 >Originator: nneul@umr.edu >Organization: >Release: 1.2 >Environment: HP-UX 10.2, gcc >Description: Assuming a directory without an index file and DirectoryIndex with about 5 different filenames on it - the page is also protected w/ a password. When attempting to retrieve: "...../thedir/", the server authenticates the userid and password once for every file that is listed in DirectoryIndex even if the file doesn't exist. It seems like the authentication should be performed only if the server is deciding whether or not to send the file, not when it is trying to pick which one to display. This isn't a big deal using htpasswd authentication, but if the authentication is expensive (authenticating to Kerberos/AFS over the network), it gets to be a little too intensive. >How-To-Repeat: >Fix: I haven't looked at that portion of the code, but a simple fix would be, instead of for each file check pass, if OK if file exists send first match to for each file if file exists check if pass ok, if ok send first match That would eliminate some of the unnecessary checks. It wouldn't entirely solve it, but it would help some >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: dgaudet State-Changed-When: Sun Jul 13 20:07:41 PDT 1997 State-Changed-Why: Unfortunately the existance of the directive makes it necessary to sometimes check auth for each sub request. Each file in the directory is a sub request when generating the index. But the code tries to be smart and avoid doing auth unless a section truly applied ... do you have any sections? Dean State-Changed-From-To: analyzed-closed State-Changed-By: dgaudet State-Changed-When: Thu Sep 25 00:25:00 PDT 1997 State-Changed-Why: No response from user ... Dean >Unformatted: