mod_authn_core: note that modern browsers no longer display AuthName realm (Bug 69326)

author Rich Bowen <rbowen@apache.org>

Sat, 2 May 2026 22:37:26 +0000 (22:37 +0000)

committer Rich Bowen <rbowen@apache.org>

Sat, 2 May 2026 22:37:26 +0000 (22:37 +0000)
author Rich Bowen <rbowen@apache.org>
Sat, 2 May 2026 22:37:26 +0000 (22:37 +0000)
committer Rich Bowen <rbowen@apache.org>
Sat, 2 May 2026 22:37:26 +0000 (22:37 +0000)
diff --git a/docs/manual/mod/mod_authn_core.xml b/docs/manual/mod/mod_authn_core.xml

index 3891a00b94eb4767d97a5c667886532bfc34f051..47d9d5b66d4d8b30943af823b3a59bf36029297b 100644 (file)
--- a/docs/manual/mod/mod_authn_core.xml
+++ b/docs/manual/mod/mod_authn_core.xml
@@ -139,8 +139,12 @@ authentication</description>
       AuthName "Top Secret"
     </highlight>
  
-    <p>The string provided for the <code>AuthName</code> is what will
-    appear in the password dialog provided by most browsers.</p>
+    <p>The string provided for the <code>AuthName</code> was
+    historically displayed in the password dialog provided by
+    browsers. Most modern browsers no longer show the realm
+    string, as it could be abused for phishing. The directive
+    is still required for HTTP authentication to function, and
+    the realm value is still used to scope credentials.</p>
  
      <p>From 2.5.0, <a href="../expr.html">expression syntax</a> can be
      used inside the directive to produce the name dynamically.</p>
author	Rich Bowen <rbowen@apache.org>
	Sat, 2 May 2026 22:37:26 +0000 (22:37 +0000)
committer	Rich Bowen <rbowen@apache.org>
	Sat, 2 May 2026 22:37:26 +0000 (22:37 +0000)