I'm running into a problem that, by all indications, should not be happening [isn't that always the case with a problem? ;) ] I'm trying to create a CGI program that will do it's own authorization. Working from an example, if the current request does not contain "credentials", then I should set the status to 401 and the "www-authenticate" header to "basic realm=somwhere". This should cause the browser to re-try the request with the addition of an "Authorization: <encoded value>" header. Sure enough, if I see that the AUTH_TYPE environment variable is blank or non-existant, (which causes my program to generate a 401 response), watching this with a sniffer shows that the browser does indeed retriy with the authorization header -- so far, so good... However, since the httpd.conf or .htaccess file does NOT indicate "authtype", "authname", and "require <userlist>", then the server seems to be IGNORING the information passed along in the authorization tag and calls my cgi program without having set the AUTH_TYPE and REMOTE_USER variables. Without those "credentials", my program regenerates the 401 request... What do I need to do to cause the server to pass along the auth type/user/password values to the underlying CGI program? I see a similar example using PHP in which certain PHP variables are set, however I'm not using PHP for this application. -- Yet another Blog: http://osnut.homelinux.net