From: Rich Bowen <rbowen@apache.org>
Date: Sat, 2 May 2026 22:37:26 +0000 (+0000)
Subject: mod_authn_core: note that modern browsers no longer display AuthName realm (Bug 69326)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ad4eb56d1d977c020be5a9a35d564be0d0af7b1c;p=thirdparty%2Fapache%2Fhttpd.git

mod_authn_core: note that modern browsers no longer display AuthName realm (Bug 69326)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933751 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_authn_core.xml b/docs/manual/mod/mod_authn_core.xml
index 3891a00b94..47d9d5b66d 100644
--- a/docs/manual/mod/mod_authn_core.xml
+++ b/docs/manual/mod/mod_authn_core.xml
@@ -139,8 +139,12 @@ authentication</description>
      AuthName "Top Secret"
    </highlight>
 
-    <p>The string provided for the <code>AuthName</code> is what will
-    appear in the password dialog provided by most browsers.</p>
+    <p>The string provided for the <code>AuthName</code> was
+    historically displayed in the password dialog provided by
+    browsers. Most modern browsers no longer show the realm
+    string, as it could be abused for phishing. The directive
+    is still required for HTTP authentication to function, and
+    the realm value is still used to scope credentials.</p>
 
     <p>From 2.5.0, <a href="../expr.html">expression syntax</a> can be
     used inside the directive to produce the name dynamically.</p>