Once authenticated the HTTP 1.1 Authorization header is sent with every request to every resource within domain

I am encountering a situation whereby an http 1.1 authorization header is sent to every resource under a given domain even though the initial 401 Authentication response by which the authorization information is requested contains a realm associated with a specific resource on the server.

I understand from the http 1.1 spec that a browser can pre-emptively send the Authorization header to a resource for which it already has authenticated.

A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. http://www.ietf.org/rfc/rfc2617.txt

However, it would appear the browser is pre-empting every resource under the domain with the Authorization header.

I have experienced this behaviour for the domain and resources in question whilst using Opera 11.1, IE[7,8], Firefox 3.x which leaves me feeling confident (although not 100%) this is not a browser bug.

It is worth mentioning that the server presents the resource associated with the realm in question as virtual managed by the 'Alias' directive under Apache 2.0 thus for protected resource '/x' the apache configuration is:

Alias /x "/absolute/linux/filesystem/path"

<Directory "/absolute/linux/filesystem/path">
...
AuthName     "y"
AuthType Basic
...
</Directory> 

I have one completely unsupported theory where the issue is related to the fact that '/x' is presented by apache as a virtual resource. I wonder if somehow this ends up 开发者_JAVA技巧mapping the realm to '/' instead of '/x'. I draw this conclusion from the fact that the browser is pre-empting the Authorization header to every resource.

I would be grateful if someone could point me in the right direction as it's likley I have mis-configured something in my setup.

In the interests of brevity I have omitted certain information (e.g. module versions et al) if required please ask and I will be more than happy to provide.

Thanks for reading.

Chris

Answered on Apache user mailing list here: http://httpd.markmail.org/search/?q=HTTP%201.1%20Authentication#query:HTTP%201.1%20Authentication+page:1+mid:vrkhnxuhynchdmp5+state:results