DevHeads.net

SSI conditionals AFTER apache auth?

Evening everyone,

I'm trying to make it so that only certain elements on a web page are
visible to users logged in, and are otherwise not displayed using
mod_include flow control
<https://httpd.apache.org/docs/current/mod/mod_include.html#flowctrl>.
The only way I've been able to do that so far is to detect the cookie
that the apache auth sets, which works sort of. Of course if I just
manually set the cookie in my browser then the stuff shows and just
confuses the whole setup I put. I know from reading the docs that
%{REMOTE_USER} isn't exposed to these conditionals due to the order of
operations. However, it'd be super-cool if it WERE. I know that filter
processing can be tweaked to a degree with mod_filter, so I'm wondering
if I can instruct apache to process authentication ahead of mod_include?
I couldn't find anything directly saying yes or no, so figured I'd see
if anyone on here knew one way or the other, or see if anyone had any
other suggestions for accomplishing what I'm looking for.

Appreciate your help!

Comments

Re: SSI conditionals AFTER apache auth?

By Eric Covener at 11/14/2017 - 06:42

On Mon, Nov 13, 2017 at 8:28 PM, Adam Vest
<adam. ... at vestfarms dot com.invalid> wrote:
That is surprising, an output filter like mod_include should not have
those limitations about variables being accessed "too early" like in
<if> because it is fundamentally evaluated so late.

Are you sure your user checking syntax was right? You can test outside
of SSI with Header set Foo SUCCESS expr="..." as a sanity check.

I was going to suggest using mod_session but I don't think it is any
safer if you access its cookie directly and I don't think there is
mod_session / expression integration.h