If we're in HTTP Basic authentication mode, it's vital to return 401

for _any_ failed authentication, because that's what causes the
browser to give you a repeat password prompt. If we ever return 403,
the browser will _remember_ your wrong password, and give you 403
again the next time without letting you have a chance to
reauthenticate.

git-svn-id: svn://svn.tartarus.org/sgt/agedu@8280 cda61777-01e9-0310-a592-d414129be87e

diff --git a/httpd.c b/httpd.c
index 8087a28..dfb17b7 100644 (file)
--- a/httpd.c
+++ b/httpd.c
@@ -278,10 +278,10 @@ char *got_data(struct connctx *ctx, char *data, int length,
        }
 
        if (!magic_access && !auth_correct) {
-           if (auth_string && !auth_provided) {
+           if (auth_string) {
                ret = http_error("401", "Unauthorized",
                                 "WWW-Authenticate: Basic realm=\""PNAME"\"\r",
-                                "\nPlease authenticate to view these pages.");
+                                "\nYou must authenticate to view these pages.");
            } else {
                ret = http_error("403", "Forbidden", NULL,
                                 "This is a restricted-access set of pages.");