--- securesite.module.old	2008-02-24 01:03:06.000000000 +0100
+++ securesite.module	2008-02-28 21:36:09.484375000 +0100
@@ -33,7 +33,8 @@ function securesite_menu($may_cache) {
       'description'        => t('Enables HTTP Auth security or an HTML form to restrict site access.'),
       'access'             => user_access('administer site configuration'),
     );
-  }
+  }
+  
   return $items;
 }
 
@@ -89,6 +90,13 @@ function securesite_admin_settings() {
     '#maxlength' => 40,
     '#description' => t('Name to identify login area in HTTP Auth dialog'),
   );
+
+  $form['authentication']['securesite_httpauth_session_lifetime'] = array(
+    '#type' => 'textfield',
+    '#title' => t('HTTP Auth Session Lifetime'),
+    '#default_value' => variable_get('securesite_httpauth_session_lifetime', 7200),
+    '#description' => t("Set the lifetime (in seconds) for HTTP Auth sessions.  HTTP Auth sessions older than this value will be automatically cleaned out when cron is run. Explanation: HTTP Auth sessions are typically used to enable access to protected URLs by feed readers and other software.  This access is typically not session-based, so each access results in a new entry in the sessions table, which may cause it to get excessively large."),
+  );
 
   // HTML login form settings
   $form['login_form'] = array(
@@ -111,8 +119,15 @@ function securesite_admin_settings() {
     '#length' => 60,
     '#height' => 3,
     '#description' => t('Leave empty to disable Secure Site\'s password reset form.'),
-  );
-
+  );
+
+  $form['login_form']['securesite_show_access_denied'] = array(
+    '#type' => 'checkbox',
+    '#title' => t('Show access denied page instead of login or password request forms'),
+    '#description' => t('Show access denied page instead of login or password reset forms. You can use this in combintation with the HTTP Auth security method. In case the user presses \'Cancel\' in the HTTP Authentication dialog box, the \'Access denied\' page is shown instead of the password reset form.'),
+    '#default_value' => variable_get('securesite_show_access_denied', FALSE),
+  );
+
   // Bypass login filter pages settings
   $form['filter_pages'] = array(
     '#type' => 'fieldset',
@@ -199,7 +214,8 @@ function securesite_init() {
   // Step #5: Check if user is a guest and log them in if they are
   if (!empty($guest_name) && !empty($guest_pass) && $guest_name == $edit['name'] && $guest_pass == $edit['pass']) {
     // Mark this session to prevent re-login (note: guests can't logout)
-    $_SESSION['securesite_guest'] = TRUE;
+    watchdog('securesite', 'guest login');
+    $_SESSION['securesite_guest'] = TRUE;
 
     if (arg(0) != 'logout') { // only redirect if on logout page
       return;
@@ -213,19 +229,20 @@ function securesite_init() {
   /**
    * The LDAP auth module can't use the regular external user login system, so we have to call its
    * login function separately
-   */
+   */
   if (function_exists('_ldapauth_user_authenticate')) {
     $account = _ldapauth_user_authenticate($edit['name'], $edit['pass']);
   }
   else {
     $account = user_authenticate($edit['name'], $edit['pass']);
   }
-
+
   // Step #7: Process login attempt
   if ($account->uid && user_access('access site', $account)) {
     // Login successful
     $user = $account;
-
+    $_SESSION['HTTPAUTH'] = TRUE;
+        
     watchdog('user', t('Session opened for %name.', array('%name' => $user->name)));
     db_query("UPDATE {users} SET login = '%d' WHERE uid = '%s'", time(), $user->uid);
     user_module_invoke('login', $edit, $user);
@@ -244,14 +261,19 @@ function securesite_init() {
 /**
  * Implementation of hook_user()
  */
-function securesite_user($op, &$edit, &$user) {
+function securesite_user($op, &$edit, &$user) {
   if ($op == 'logout') {
     module_invoke_all('exit', request_uri());
     unset($GLOBALS['user']);
 
     $securesite_enabled = variable_get('securesite_enabled', SECURESITE_DISABLED);
     if ($securesite_enabled == SECURESITE_AUTH || $securesite_enabled == SECURESITE_AUTH_ALT) {
-      securesite_user_auth();
+      if ($_SESSION['HTTPAUTH']) {
+        securesite_user_auth();
+      }
+      else {
+        securesite_goto();
+      }
     }
     else {
       // redirect first to browser prevent caching problems
@@ -275,12 +297,23 @@ function securesite_goto() {
   module_invoke_all('exit', request_uri());
   exit;
 }
-
+
+/**
+ * Implementation of hook_cron.  
+ * Deletes HTTPAUTH sessions which are older than 2 hours.
+*/
+function securesite_cron() {
+  $now = date('U');
+  $delta = variable_get('securesite_httpauth_session_lifetime', 7200);
+  $threshold = $now - $delta;
+  db_query("DELETE FROM {sessions} WHERE timestamp < %d AND session LIKE 'HTTPAUTH%' ", $threshold);
+}
+
 /**
  * Display authentication dialog and send password requests
  */
 function securesite_user_auth() {
-  global $base_url;
+  global $base_url;
 
   // Clear the cache if it's enabled.  Work-around for http://drupal.org/node/217466
   if (variable_get('cache', CACHE_DISABLED) != CACHE_DISABLED) {
@@ -365,12 +398,12 @@ function securesite_user_auth() {
     $content .= _securesite_login_form();
   }
   $content .= _securesite_request_form();
-
+
   // Step #3: If using HTTP Auth, send the appropriate headers, but only if the user isn't logged in and they haven't
   // just submitted the password reset or login forms
   if (($securesite_enabled == SECURESITE_AUTH || $securesite_enabled == SECURESITE_AUTH_ALT) && empty($_POST['securesite_request_form']) && empty($_POST['securesite_login_form'])) {
     $realm = variable_get('securesite_realm', variable_get('site_name', 'Drupal'));
-
+
     if ($securesite_enabled == SECURESITE_AUTH_ALT) {
       /*********
        * If not on the home page of the site, Opera will not show the auth dialog the first time after logout.  It will show
@@ -388,17 +421,37 @@ function securesite_user_auth() {
 
       $realm .= $suffix;
     }
-
-    header('WWW-Authenticate: Basic realm="'. $realm .'"');
-    header('HTTP/1.0 401 Unauthorized');
+
+    header('WWW-Authenticate: Basic realm="'. $realm .'"');
+    header('HTTP/1.0 401 Unauthorized');
   }
 
-  // Step #4: Show the login form or password request form
-  _securesite_dialog_page($content);
-  module_invoke_all('exit', request_uri());
-  exit;
+  // Step #4: Show the login form, password request form, or access denied page
+  if (variable_get('securesite_show_access_denied', FALSE)) {
+    _securesite_access_denied();
+  }
+  else {
+    _securesite_dialog_page($content);
+  }
+
+  module_invoke_all('exit', request_uri());
+  exit;
 }
-
+
+/**
+ * Prints access denied page
+ * This function is copied from drupal_access_denied, but doesn't set the http header, because it was already set to 401
+ * We need some fiddling of the user here, becuase it is already unset, while some blocks might still need it
+  */
+function _securesite_access_denied() {
+  global $user;
+  $user = drupal_anonymous_user();
+  menu_set_active_item('');
+  drupal_set_title(t('Access denied'));
+  $content = t('You are not authorized to access this page.');
+  print(theme('page', $content));
+}
+
 /**
  * Check if pages should bypass securesite
  */