<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
+<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
-<title>mod_auth_form - Apache HTTP Server</title>
+<title>mod_auth_form - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
-<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/
directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
-<p class="apache">Apache HTTP Server Version 2.3</p>
-<img alt="" src="../images/feather.gif" /></div>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/
quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.5</p>
+<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
-<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.
3</a> > <a href="./">Modules</a></div>
+<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.
5</a> > <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_auth_form</h1>
<div class="toplang">
-<p><span>Available Languages: </span><a href="../en/mod/mod_auth_form.html" title="English"> en </a></p>
+<p><span>Available Languages: </span><a href="../en/mod/mod_auth_form.html" title="English"> en </a> |
+<a href="../fr/mod/mod_auth_form.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Form authentication</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>auth_form_module</td></tr>
-<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_auth_form.c</td></tr></table>
+<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_auth_form.c</td></tr>
+<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
<h3>Summary</h3>
<div class="warning"><h3>Warning</h3>
<p>Once the user has been successfully authenticated, the user's login
details will be stored in a session provided by <code class="module"><a href="../mod/mod_session.html">mod_session</a></code>.
</p>
-
+
</div>
-<div id="quickview"><h3 class="directives">Directives</h3>
+<div id="quickview"><h3>Topics</h3>
+<ul id="topics">
+<li><img alt="" src="../images/down.gif" /> <a href="#basicconfig">Basic Configuration</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#standalone">Standalone Login</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#inline">Inline Login</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#inlinepreservebody">Inline Login with Body Preservation</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#loggingout">Logging Out</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#urlencoding">Usernames and Passwords</a></li>
+</ul><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authformauthoritative">AuthFormAuthoritative</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authformbody">AuthFormBody</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authformsize">AuthFormSize</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authformusername">AuthFormUsername</a></li>
</ul>
-<h3>Topics</h3>
-<ul id="topics">
-<li><img alt="" src="../images/down.gif" /> <a href="#basicconfig">Basic Configuration</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#standalone">Standalone Login</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#inline">Inline Login</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#inlinepreservebody">Inline Login with Body Preservation</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#loggingout">Logging Out</a></li>
-</ul><h3>See also</h3>
+<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_auth_form">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_auth_form">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li><code class="module"><a href="../mod/mod_session.html">mod_session</a></code></li>
<li><code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code></li>
<li><code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code></li>
<li><code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code></li>
-<li><code class="directive"><a href="../mod/mod_authz_core.html#match">Match</a></code></li>
<li><a href="../howto/auth.html">Authentication howto</a></li>
-</ul></div>
+<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="basicconfig" id="basicconfig">Basic Configuration</a></h2>
-
+
<p>To protect a particular URL with <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code>, you need to
decide where you will store your <var>session</var>, and you will need to
decide what method you will use to authenticate. In this simple example, the
<code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code>, and authentication will be attempted against
a file using <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code>. If authentication is unsuccessful,
the user will be redirected to the form login page.</p>
-
- <div class="example"><h3>Basic example</h3><p><code>
- AuthFormProvider file<br />
- AuthUserFile conf/passwd<br />
- AuthType form<br />
- AuthName realm<br />
- AuthFormLoginRequiredLocation http://example.com/login.html<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
- </code></p></div>
-
+
+ <div class="example"><h3>Basic example</h3><pre class="prettyprint lang-config">AuthFormProvider file
+AuthUserFile "conf/passwd"
+AuthType form
+AuthName realm
+AuthFormLoginRequiredLocation "http://example.com/login.html"
+Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret</pre>
+</div>
+
<p>The directive <code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code> will enable
the <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> authentication when set to the value <var>form</var>.
The directives <code class="directive"><a href="#authformprovider">AuthFormProvider</a></code> and
<code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code> specify that usernames
and passwords should be checked against the chosen file.</p>
- <p>The directives <code class="directive"><a href="../mod/mod_session.html#session">Session</a></code>,
+ <p>The directives <code class="directive"><a href="../mod/mod_session.html#session">Session</a></code>,
<code class="directive"><a href="../mod/mod_session_cookie.html#sessioncookiename">SessionCookieName</a></code> and
<code class="directive"><a href="../mod/mod_session_crypto.html#sessioncryptopassphrase">SessionCryptoPassphrase</a></code> create an
encrypted session stored within an HTTP cookie on the browser. For more information
<p>The login form can be hosted as a standalone page, or can be provided inline on
the same page.</p>
-
+
<p>When configuring the login as a standalone page, unsuccessful authentication
attempts should be redirected to a login form created by the website for this purpose,
using the <code class="directive"><a href="#authformloginrequiredlocation">AuthFormLoginRequiredLocation</a></code>
directive. Typically this login page will contain an HTML form, asking the user to
provide their usename and password.</p>
-
- <div class="example"><h3>Example login form</h3><p><code>
- <form method="POST" action="/dologin.html"><br />
- Username: <input type="text" name="httpd_username" value="" /><br />
- Password: <input type="password" name="httpd_password" value="" /><br />
- <input type="submit" name="login" value="Login" /><br />
- </form><br />
- </code></p></div>
+
+ <div class="example"><h3>Example login form</h3><pre class="prettyprint lang-html"><form method="POST" action="/dologin.html">
+ Username: <input type="text" name="httpd_username" value="" />
+ Password: <input type="password" name="httpd_password" value="" />
+ <input type="submit" name="login" value="Login" />
+</form></pre>
+</div>
<p>The part that does the actual login is handled by the <var>form-login-handler</var>.
The action of the form should point at this handler, which is configured within
Apache httpd as follows:</p>
-
- <div class="example"><h3>Form login handler example</h3><p><code>
- <Location /dologin.html>
- <span class="indent">
- SetHandler form-login-handler<br />
- AuthFormLoginRequiredLocation http://example.com/login.html<br />
- AuthFormLoginSuccessLocation http://example.com/success.html<br />
- AuthFormProvider file<br />
- AuthUserFile conf/passwd<br />
- AuthType form<br />
- AuthName realm<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
- </span>
- </Location>
- </code></p></div>
+
+ <div class="example"><h3>Form login handler example</h3><pre class="prettyprint lang-config"><Location "/dologin.html">
+ SetHandler form-login-handler
+ AuthFormLoginRequiredLocation "http://example.com/login.html"
+ AuthFormLoginSuccessLocation "http://example.com/success.html"
+ AuthFormProvider file
+ AuthUserFile "conf/passwd"
+ AuthType form
+ AuthName realm
+ Session On
+ SessionCookieName session path=/
+ SessionCryptoPassphrase secret
+</Location></pre>
+</div>
<p>The URLs specified by the
<code class="directive"><a href="#authformloginrequiredlocation">AuthFormLoginRequiredLocation</a></code> directive will typically
point to a page explaining to the user that their login attempt was unsuccessful, and they
should try again. The <code class="directive"><a href="#authformloginsuccesslocation">AuthFormLoginSuccessLocation</a></code>
directive specifies the URL the user should be redirected to upon successful login.</p>
-
+
<p>Alternatively, the URL to redirect the user to on success can be embedded within the login
form, as in the example below. As a result, the same <var>form-login-handler</var> can be
reused for different areas of a website.</p>
- <div class="example"><h3>Example login form with location</h3><p><code>
- <form method="POST" action="/dologin.html"><br />
- <span class="indent">
- Username: <input type="text" name="httpd_username" value="" /><br />
- Password: <input type="password" name="httpd_password" value="" /><br />
- <input type="submit" name="login" value="Login" /><br />
- <input type="hidden" name="httpd_location" value="http://example.com/success.html" /><br />
- </span>
- </form><br />
- </code></p></div>
+ <div class="example"><h3>Example login form with location</h3><pre class="prettyprint lang-html"><form method="POST" action="/dologin.html">
+ Username: <input type="text" name="httpd_username" value="" />
+ Password: <input type="password" name="httpd_password" value="" />
+ <input type="submit" name="login" value="Login" />
+ <input type="hidden" name="httpd_location" value="http://example.com/success.html" />
+</form></pre>
+</div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="inline" id="inline">Inline Login</a></h2>
-
+
<div class="warning"><h3>Warning</h3>
- <p>A risk exists that under certain circumstances, the login form configured
+ <p>A risk exists that under certain circumstances, the login form configured
using inline login may be submitted more than once, revealing login credentials to
the application running underneath. The administrator must ensure that the underlying
application is properly secured to prevent abuse. If in doubt, use the
<code class="directive"><a href="#authformloginrequiredlocation">AuthFormLoginRequiredLocation</a></code> directive,
a <var>HTTP_UNAUTHORIZED</var> status code is returned to the browser indicating to the user
that they are not authorized to view the page.</p>
-
+
<p>To configure inline authentication, the administrator overrides the error document
returned by the <var>HTTP_UNAUTHORIZED</var> status code with a custom error document
containing the login form, as follows:</p>
- <div class="example"><h3>Basic inline example</h3><p><code>
- AuthFormProvider file<br />
- <strong>ErrorDocument 401 /login.shtml</strong><br />
- AuthUserFile conf/passwd<br />
- AuthType form<br />
- AuthName realm<br />
- AuthFormLoginRequiredLocation http://example.com/login.html<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
- </code></p></div>
-
+ <div class="example"><h3>Basic inline example</h3><pre class="prettyprint lang-config">AuthFormProvider file
+ErrorDocument 401 "/login.shtml"
+AuthUserFile "conf/passwd"
+AuthType form
+AuthName realm
+AuthFormLoginRequiredLocation "http://example.com/login.html"
+Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret</pre>
+</div>
+
<p>The error document page should contain a login form with an empty action property,
as per the example below. This has the effect of submitting the form to
the original protected URL, without the page having to know what that
URL is.</p>
- <div class="example"><h3>Example inline login form</h3><p><code>
- <form method="POST" <strong>action=""</strong>><br />
- <span class="indent">
- Username: <input type="text" name="httpd_username" value="" /><br />
- Password: <input type="password" name="httpd_password" value="" /><br />
- <input type="submit" name="login" value="Login" /><br />
- </span>
- </form><br />
- </code></p></div>
+ <div class="example"><h3>Example inline login form</h3><pre class="prettyprint lang-html"><form method="POST" <strong>action=""</strong>>
+ Username: <input type="text" name="httpd_username" value="" />
+ Password: <input type="password" name="httpd_password" value="" />
+ <input type="submit" name="login" value="Login" />
+</form></pre>
+</div>
<p>When the end user has filled in their login details, the form will make
an HTTP POST request to the original password protected URL.
<p>To enable body preservation, add three additional fields to the login form as
per the example below.</p>
- <div class="example"><h3>Example with body preservation</h3><p><code>
- <form method="POST" action=""><br />
- <span class="indent">
- Username: <input type="text" name="httpd_username" value="" /><br />
- Password: <input type="password" name="httpd_password" value="" /><br />
- <input type="submit" name="login" value="Login" /><br />
- <strong><input type="hidden" name="httpd_method" value="POST" /><br />
- <input type="hidden" name="httpd_mimetype" value="application/x-www-form-urlencoded" /><br />
- <input type="hidden" name="httpd_body" value="name1=value1&name2=value2" /></strong><br />
- </span>
- </form>
- </code></p></div>
+ <div class="example"><h3>Example with body preservation</h3><pre class="prettyprint lang-html"><form method="POST" action="">
+ Username: <input type="text" name="httpd_username" value="" />
+ Password: <input type="password" name="httpd_password" value="" />
+ <input type="submit" name="login" value="Login" />
+ <br /> <strong><input type="hidden" name="httpd_method" value="POST" />
+ <input type="hidden" name="httpd_mimetype" value="application/x-www-form-urlencoded" />
+ <input type="hidden" name="httpd_body" value="name1=value1&name2=value2" /></strong><br />
+</form></pre>
+</div>
<p>How the method, mimetype and body of the original request are embedded within the
login form will depend on the platform and technology being used within the website.
</p>
<p>One option is to use the <code class="module"><a href="../mod/mod_include.html">mod_include</a></code> module along with the
- <code class="directive"><a href="../mod/core.html#keptbodysize">KeptBodySize</a></code> directive, along with a suitable
+ <code class="directive"><a href="../mod/mod_request.html#keptbodysize">KeptBodySize</a></code> directive, along with a suitable
CGI script to embed the variables in the form.</p>
-
+
<p>Another option is to render the login form using a CGI script or other dynamic
technology.</p>
- <div class="example"><h3>CGI example</h3><p><code>
- AuthFormProvider file<br />
- <strong>ErrorDocument 401 /cgi-bin/login.cgi</strong><br />
- ...<br />
- </code></p></div>
+ <div class="example"><h3>CGI example</h3><pre class="prettyprint lang-config"> AuthFormProvider file
+ ErrorDocument 401 "/cgi-bin/login.cgi"
+ ...</pre>
+</div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
logout. This URL might explain to the user that they have been logged out, and
give the user the option to log in again.</p>
- <div class="example"><h3>Basic logout example</h3><p><code>
- SetHandler form-logout-handler<br />
- AuthName realm<br />
- AuthFormLogoutLocation http://example.com/loggedout.html<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
- </code></p></div>
+ <div class="example"><h3>Basic logout example</h3><pre class="prettyprint lang-config">SetHandler form-logout-handler
+AuthName realm
+AuthFormLogoutLocation "http://example.com/loggedout.html"
+Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret</pre>
+</div>
<p>Note that logging a user out does not delete the session; it merely removes
the username and password from the session. If this results in an empty session,
value, like 1 (setting the directive to zero would mean no session age limit).
</p>
- <div class="example"><h3>Basic session expiry example</h3><p><code>
- SetHandler form-logout-handler<br />
- AuthFormLogoutLocation http://example.com/loggedout.html<br />
- Session On<br />
- SessionMaxAge 1<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
- </code></p></div>
+ <div class="example"><h3>Basic session expiry example</h3><pre class="prettyprint lang-config">SetHandler form-logout-handler
+AuthFormLogoutLocation "http://example.com/loggedout.html"
+Session On
+SessionMaxAge 1
+SessionCookieName session path=/
+SessionCryptoPassphrase secret</pre>
+</div>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="urlencoding" id="urlencoding">Usernames and Passwords</a></h2>
+ <p>Note that form submission involves URLEncoding the form data:
+ in this case the username and password. You should therefore
+ pick usernames and passwords that avoid characters that are
+ URLencoded in form submission, or you may get unexpected results.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthFormAuthoritative" id="AuthFormAuthoritative">AuthFormAuthoritative</a> <a name="authformauthoritative" id="authformauthoritative">Directive</a></h2>
to submit should login be successful.</p>
<p>By populating the form with fields described by
- <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
+ <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
<code class="directive"><a href="#authformmimetype">AuthFormMimetype</a></code> and
<code class="directive"><a href="#authformbody">AuthFormBody</a></code>, a website can retry
a request that may have been interrupted by the login screen, or by a session
<p>The <code class="directive"><a href="#authformdisablenostore">AuthFormDisableNoStore</a></code> flag
disables the sending of a <code>Cache-Control no-store</code> header with the
error 401 page returned when the user is not yet logged in. The purpose of the header
- is to make it difficult for an ecmascript application to attempt to resubmit the
+ is to make it difficult for an <code>ecmascript</code> application to attempt to resubmit the
login form, and reveal the username and password to the backend application. Disable
at your own risk.</p>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_auth_form</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3.0 and later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3.0 and later. The use of the expression
+parser has been added in 2.4.4.</td></tr>
</table>
<p>The <code class="directive"><a href="#authformloginrequiredlocation">AuthFormLoginRequiredLocation</a></code> directive
- specifies the URL to redirect to should the user not be authorised to view a page. By default,
- if a user is not authorised to view a page, the HTTP response code <code>HTTP_UNAUTHORIZED</code>
- will be returned with the page specified by the
+ specifies the URL to redirect to should the user not be authorised to view a page. The value
+ is parsed using the <a href="../expr.html">ap_expr</a> parser before being sent to the client.
+ By default, if a user is not authorised to view a page, the HTTP response code
+ <code>HTTP_UNAUTHORIZED</code> will be returned with the page specified by the
<code class="directive"><a href="../mod/core.html#errordocument">ErrorDocument</a></code> directive. This directive overrides this
default.</p>
-
+
<p>Use this directive if you have a dedicated login page to redirect users to.</p>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_auth_form</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3.0 and later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3.0 and later. The use of the expression
+parser has been added in 2.4.4.</td></tr>
</table>
<p>The <code class="directive"><a href="#authformloginsuccesslocation">AuthFormLoginSuccessLocation</a></code> directive
- specifies the URL to redirect to should the user have logged in successfully. This directive
- can be overridden if a form field has been defined containing another URL using the
- <code class="directive"><a href="#authformlocation">AuthFormLocation</a></code> directive.</p>
-
+ specifies the URL to redirect to should the user have logged in successfully. The value is
+ parsed using the <a href="../expr.html">ap_expr</a> parser before being sent to the client.
+ This directive can be overridden if a form field has been defined containing another URL
+ using the <code class="directive"><a href="#authformlocation">AuthFormLocation</a></code> directive.</p>
+
<p>Use this directive if you have a dedicated login URL, and you have not embedded the
destination page in the login form.</p>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_auth_form</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3.0 and later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3.0 and later. The use of the expression
+parser has been added in 2.4.4.</td></tr>
</table>
<p>The <code class="directive"><a href="#authformlogoutlocation">AuthFormLogoutLocation</a></code> directive
- specifies the URL of a page on the server to redirect to should the user attempt to log out.</p>
+ specifies the URL of a page on the server to redirect to should the user attempt to log
+ out. The value is parsed using the <a href="../expr.html">ap_expr</a> parser before
+ being sent to the client.</p>
<p>When a URI is accessed that is served by the handler <code>form-logout-handler</code>,
the page specified by this directive will be shown to the end user. For example:</p>
-
- <div class="example"><h3>Example</h3><p><code>
- <Location /logout><br />
- <span class="indent">
- SetHandler form-logout-handler<br />
- AuthFormLogoutLocation http://example.com/loggedout.html<br />
- Session on<br />
- ...
- </span>
- </Location>
- </code></p></div>
-
+
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location "/logout">
+ SetHandler form-logout-handler
+ AuthFormLogoutLocation "http://example.com/loggedout.html"
+ Session on
+ #...
+</Location></pre>
+</div>
+
<p>An attempt to access the URI <var>/logout/</var> will result in the user being logged
out, and the page <var>/loggedout.html</var> will be displayed. Make sure that the page
<var>loggedout.html</var> is not password protected, otherwise the page will not be
<p>The <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code> directive specifies
the name of an HTML field which, if present, will contain the method of the request to
to submit should login be successful.</p>
-
+
<p>By populating the form with fields described by
- <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
+ <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
<code class="directive"><a href="#authformmimetype">AuthFormMimetype</a></code> and
<code class="directive"><a href="#authformbody">AuthFormBody</a></code>, a website can retry
a request that may have been interrupted by the login screen, or by a session
</table>
<p>The <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code> directive specifies
the name of an HTML field which, if present, will contain the
- mimetype of the request to to submit should login be successful.</p>
+ mimetype of the request to submit should login be successful.</p>
<p>By populating the form with fields described by
- <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
+ <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
<code class="directive"><a href="#authformmimetype">AuthFormMimetype</a></code> and
<code class="directive"><a href="#authformbody">AuthFormBody</a></code>, a website can retry
a request that may have been interrupted by the login screen, or by a session
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_auth_form</td></tr>
</table>
- <p>The <code class="directive">AuthFormProvider</code> directive sets
+ <p>The <code class="directive">AuthFormProvider</code> directive sets
which provider is used to authenticate the users for this location.
The default <code>file</code> provider is implemented
by the <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> module. Make sure
that the chosen provider module is present in the server.</p>
- <div class="example"><h3>Example</h3><p><code>
- <Location /secure><br />
- <span class="indent">
- AuthType form<br />
- AuthName "private area"<br />
- AuthFormProvider dbm<br />
- AuthDBMType SDBM<br />
- AuthDBMUserFile /www/etc/dbmpasswd<br />
- Require valid-user<br />
- ...<br />
- </span>
- </Location>
- </code></p></div>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location "/secure">
+ AuthType form
+ AuthName "private area"
+ AuthFormProvider dbm
+ AuthDBMType SDBM
+ AuthDBMUserFile "/www/etc/dbmpasswd"
+ Require valid-user
+ #...
+</Location></pre>
+</div>
<p>Providers are implemented by <code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code>,
<code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code>, <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>,
- and <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>.</p>
+ <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> and <code class="module"><a href="../mod/mod_authn_socache.html">mod_authn_socache</a></code>.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
specifies a passphrase which, if present in the user session, causes Apache httpd to
bypass authentication checks for the given URL. It can be used on high traffic websites
to reduce the load induced on authentication infrastructure.</p>
-
+
<p>The passphrase can be inserted into a user session by adding this directive to the
configuration for the <var>form-login-handler</var>. The <var>form-login-handler</var>
itself will always run the authentication checks, regardless of whether a passphrase
<div class="directive-section"><h2><a name="AuthFormSize" id="AuthFormSize">AuthFormSize</a> <a name="authformsize" id="authformsize">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The largest size of the form in bytes that will be parsed for the login details</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthFormBody <var>size</var></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthFormSize <var>size</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>8192</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
</table>
<p>The <code class="directive"><a href="#authformsize">AuthFormSize</a></code> directive specifies
the maximum size of the body of the request that will be parsed to find the login form.</p>
-
+
<p>If a login request arrives that exceeds this size, the whole request will be aborted
with the HTTP response code <code>HTTP_REQUEST_TOO_LARGE</code>.</p>
<p>If you have populated the form with fields described by
- <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
+ <code class="directive"><a href="#authformmethod">AuthFormMethod</a></code>,
<code class="directive"><a href="#authformmimetype">AuthFormMimetype</a></code> and
<code class="directive"><a href="#authformbody">AuthFormBody</a></code>, you probably want to set this
- field to a similar size as the <code class="directive"><a href="../mod/core.html#keptbodysize">KeptBodySize</a></code>
+ field to a similar size as the <code class="directive"><a href="../mod/mod_request.html#keptbodysize">KeptBodySize</a></code>
directive.</p>
</div>
</div>
<div class="bottomlang">
-<p><span>Available Languages: </span><a href="../en/mod/mod_auth_form.html" title="English"> en </a></p>
-</div><div id="footer">
-<p class="apache">Copyright 2010 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
+<p><span>Available Languages: </span><a href="../en/mod/mod_auth_form.html" title="English"> en </a> |
+<a href="../fr/mod/mod_auth_form.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2016 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
</body></html>
\ No newline at end of file
projects / apache / blobdiff