Home page logo

basics logo Security Basics mailing list archives

False (?) 401 errors messages
From: "Jon Mark Allen" <jonmark () allensonthe net>
Date: Wed, 17 Dec 2003 10:34:28 -0600

I've written a custom 401 error page (using php) to notify me (via email) when someone fails to authenticate to a 
secure website I'm managing.  The only problem is that I get an email for _every_ access — not just the ones that fail.

The secure/protected portion of the site is forced over https.  The only script that sends me this email is the 401 
error page, yet when I log in, I see the correct page but still get an email!  I've run a sniffer on my client when I 
accessed the page, but of course since it's over https, that doesn't help much.  I do see a few packets to the effect of
 Protocol: TLS, Packet Body: Encrypted Alert (21)

I've searched google (briefly) for this and haven't found anything.

Also, my .htaccess file looks something like this:

AuthType Basic
AuthName "authName"
AuthUserFile /<path outside of user-accessible space>/passwd

require valid-user
RequireSSL on

ErrorDocument 401 /<local path outside of protected space>/401.php

If you really want to see what the 401.php file looks like, I can send it, but I really don't think that's the problem. 
 The question is _why_ it's being called in the first place??

Thanks again for all your help!

Jon Mark


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]