I have two web browsers running on the same host, but different ports.
One is [based upon] Apache, and I have several locally developed scripts and documents presented there, all authenticated against modules that either came with the Apache implementation for this OS (not Windows, Mac or Unix), or have been written in-house. These authentication methods check against OS-specific user authentication stores. All involved authentications are configured in Apache as AUTH BASIC.
The other is a third-party web server created by our Email software vendor. Its purpose is for supporting that 3rd-party vendor's ADMINISTRATIVE TOOLS (NOT a webmail implementation). Unlike Apache, it is NOT extendable. But it also uses the same kind of basic authentication AS FAR AS THE WEB BROWSERS KNOW.
Several of my local scripts and documents hosted by my Apache server are authenticated against the same authentication stores as the 3rd-party vendor's administrative tools. Essentially they are local extensions to these tools. For example, the 3rd-party software vendor provides a web interface for users to change passwords. We supply a web interface so the user who's forgotten their password can obtain a new one using a recorded challenge string/response pair and the user's realtime response to that challenge.
While the 3rd-party vendor's web server is NOT extensible, many of its Administrative Tools ARE, and as a result it's easy to insert links to our local scripts & pages into the administrative tools. But when users who have already authenticated to the 3rd-party vendor's pages/scripts click on our links there, they are confronted with authentication prompts in their browser, often for the SAME user id and password they just supplied a few clicks earlier.
I know WHY this is happening, of course. The browser is moving from one web server to another (same hosts, different ports: 80 for APACHE and :7633 for the other server) and from one authentication realm to another. Doesn't seem to matter to the browser that the different authentication realms are LOGICALLY the same, checking against the same community of users/passwords.
Is there something I can tweak ON THE APACHE SIDE so that the browser will be fooled into thinking it's already authenticated to my local scripts once the 3rd-party vendor's authentications have been done? Since I never want to see the password, but want the same userid, I could be very happy if I could eliminate the excessive authentication prompts.
Of course, should the user go for MY pages/scripts first, I'd want to force them to authenticate. And if they then followed links to the 3rd-party vendor's scripts/pages, I'd want to extend the same courtesy to them.
The aim of course, is to not frustrate/confuse the user who "Already Authenticated." Kind of like avoiding the same frustration we all feel when in Voice-Mail Hell on the phone -- please enter your 16-digit account number, then do it again 5 selections later in the call.