Authentication error or maybe it isn't? - no user/password was provided
Maxim Dounin
mdounin at mdounin.ru
Mon Oct 21 11:53:46 UTC 2013
Hello!
On Sun, Oct 20, 2013 at 05:17:37PM -0400, B.R. wrote:
> It's something a lot of people are bumping on.
>
> 401 HTTP covers both failed and missing authentication but isn't possible
> for Nginx to differentiate those states and thus only generate an error
> message on a failed (ie not empty credentials, either user or password
> containing something) attempt?
> That would make the error log more efficient as parsing it would provide
> more directly failed attempt to access a particular resource.
>
> Is it the standard way of doing things or is it your own?
> Are there some use cases or reasons against differentiating 401 answers?
The difference is already here.
The message "no user/password was provided for basic
authentication", as in original message, means exactly that: there
are no credentials provided.
On failed authentication, the "user ...: password mismatch"
message is logged. On unknown user, the "user ... was not
found in ..." message is logged.
It might make sense to downgrade the "no user/password ..."
message severity. Not sure though.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list