Return 401 on expired/missing session?

Takeshi NISHIMURA takeshi at
Thu Aug 2 23:46:07 EDT 2018

Thanks Scott. I remember.

On 2018/08/03 1:26, Cantor, Scott wrote:
>> No, it is 2.2 on CentOS 6.
> That would account for the difference.
>> Furthermore, on 2.4, customizing that page using access="accessError.html"
>> in <Errors> seems to be broken.
> It again has to do with the fact that it's not the SP itself actually responding with that status code, so it's not broken, it's just impossible to do it there, at least if you're talking about the require rules. If the status page or things like that aren't working the same way, then it's probably not intentional, or at least not understood why it changed. But I definitely know why the main authz logic is different in 2.4, the APIs are very different because of the module stacking support.
> It's always better to do this in Apache anyway, most of those features were an IIS thing, and even IIS can do this better itself now.
> -- Scott

More information about the users mailing list