Feature #320
closedmod_fastcgi authorizer support behaves incorrectly with Status: 200
Description
When a fastcgi Authorizer emits the header "Status: 200\r\n\r\n" lighttpd returns a 403 to the client instead of authorizing the request.
The temporary workaround is to emit any other header, such as "Content-Type: text/html\r\n\r\n", this however does not help those of us trying to use fastcgis on multiple server implementations.
-- cpisto
Updated by maherb almost 18 years ago
I experienced the same problem. I think lighttpd ignores the "Status: " header and only looks at the Status-Line per rfc 1945 whose production looks like this:
Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
So, if you change your FCGI application to emit something like this:
{{{HTTP/1.x 200 OK\r\n\r\n}}}I bet it will work.
Updated by Anonymous over 16 years ago
The default status is 200 according to the docs, so you should not send anything on success - only on auth failure.
See:
http://trac.lighttpd.net/trac/wiki/Docs%3AModFastCGI#skeleton-for-remote-authorizer
According to the fcgi specs the authorizer application should send a Status: 200 on success. In agreement with the specs, I must say I would feel much more comfortable if the authorizer app had to send an explicit OK rather than accepting anything that's explicitly not an error. It's just the wrong way around to me.
I'm not sure if its the Perl lib i use or lighty who is the problem.
-- Mikael Lirbank
Updated by stbuehler about 13 years ago
- Status changed from New to Invalid
- Assignee deleted (
jan) - Missing in 1.5.x set to No
I just tested with a modified source:branches/lighttpd-1.4.x/tests/fcgi-auth.c - and it works (CGI expects a Status: header, not a http status line).
Also available in: Atom