473,835 Members | 1,823 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to send username/password to htaccess?

I want to use htaccess for authentication on my php site since I only have a
few users who need access to secure areas. So, I created a new directory
off public_html (secretDocs) and in that directory there is a .htaccess file
that looks like this:

AuthType Basic
AuthName "someuser"
AuthUserFile "/home/mydirectory/.htpasswds/secretDocs/passwd"
require valid-user
If a user tries to go directly to the url -
http://www.mysite.com/secretDocs/ - he will get a prompt for
username/password. But I want to use an SSL encrypted page with a form to
accept username/password and then redirect the user to the secure area if
the credentials are valid (otherwise send to a "login failed" page). So the
user goes to the login page first, enters credentials, then is redirected to
the secure page/directory.

Is there a way to forward the credentials entered on the form to htaccess?

Any suggestions welcome! Thanks in advance.
Jul 17 '05 #1
9 37740
> Is there a way to forward the credentials entered on the form to htaccess?

I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/

I could not get it to work on my site...

If it did work, I'm wondering if I do this from the SSL page if it would be
more secure?
Jul 17 '05 #2
perhaps I just need to use a basic authentication script. I found this:

http://www.krizleebear.de/phpaccess/...x.php?pageID=1

but would welcome other recommendations .
Jul 17 '05 #3
> I read somewhere that you should be able to send like this:
http://username:pa******@www.website...curedirectory/
I could not get it to work on my site...


It has been desactivated (since IE6 i think remembering) as it
was a security risk as the password could be read in server logs.

Jul 17 '05 #4
.oO(deko)
Is there a way to forward the credentials entered on the form to htaccess?


I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/


Username and password are not allowed in HTTP URLs.

Micha
Jul 17 '05 #5
Michael Fesser wrote:
.oO(deko)

Is there a way to forward the credentials entered on the form to htaccess?


I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/

Username and password are not allowed in HTTP URLs.

Micha


IIS (latest versions) will simply strip out the username and password
data, making this solution impossible, but other servers, including
apache 1.3.x, will still cooperate fully.

but: although it's possible, it's still pretty insecure!!

sadara
Jul 17 '05 #6
.oO(Sadara)
IIS (latest versions) will simply strip out the username and password
data, making this solution impossible, but other servers, including
apache 1.3.x, will still cooperate fully.
Yep, but I wouldn't rely on it. Even if widely used and probably working
on many servers it's explicitly not allowed by RFC.
but: although it's possible, it's still pretty insecure!!


Insecure and unreliable.

Micha
Jul 17 '05 #7
> Insecure and unreliable.

yep, that's for sure. If you can recommend a basic php authentication
script, please let me know.
Jul 17 '05 #8
Carved in mystic runes upon the very living rock, the last words of deko
of comp.lang.php make plain:
If a user tries to go directly to the url -
http://www.mysite.com/secretDocs/ - he will get a prompt for
username/password. But I want to use an SSL encrypted page with a
form to accept username/password and then redirect the user to the
secure area if the credentials are valid (otherwise send to a "login
failed" page). So the user goes to the login page first, enters
credentials, then is redirected to the secure page/directory.

Is there a way to forward the credentials entered on the form to
htaccess?


When your browser requests a page that's behind http authentication, the
server returns a 401. The browser then looks to see if it has a user name
and password for that realm. If it does, it re-sends the request with the
u/p attached; if it doesn't, you get the little popup asking for them.
So, basically what you're asking is if there's a way to have a PHP script
capture the u/p and have the browser know them thereafter. Unfortunately,
there is no way. If the PHP script captures the auth info, it thereafter
has to be responsible for controlling access.

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/
Jul 17 '05 #9
> When your browser requests a page that's behind http authentication, the
server returns a 401. The browser then looks to see if it has a user name
and password for that realm. If it does, it re-sends the request with the
u/p attached; if it doesn't, you get the little popup asking for them.
So, basically what you're asking is if there's a way to have a PHP script
capture the u/p and have the browser know them thereafter. Unfortunately,
there is no way. If the PHP script captures the auth info, it thereafter
has to be responsible for controlling access.


Thanks for the clear explanation. I've begun my search for a PHP
authentication script.
Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
2163
by: j-marvin | last post by:
hi- i am going through the process of password protecting a directory using ..htaccess and .htpasswd i am experiencing difficulty. so my question is without making life anymore difficult is if the webhost already has a password protected directory option is this secure enough? i dont need password protection at the directory level and at the file level do i? i want to protect the
4
6087
by: Lobang Trader | last post by:
Hi all, I am trying to create a username and a password class. I would like to know what are the RECOMMENDED minimum and maximum length for both fields? These fields will be something like this: private static final int DEFAULT_MINIMUM_LENGTH = ??????
2
18585
by: john brown | last post by:
There is a web page that I access frequently and would like to automate the authentication of the username and password. I would like to user a perl script but I'm not really sure about the steps. If someone could point me in the right direction. I don't know if it's this simple but wouldn't it just be a matter of using the LWP module. Calling the webpage and passing in the parameters? Any help would be appreciated. <html>...
0
2438
by: Joey Edelstein | last post by:
Hi, We are trying to add a Client Certificate support for our web app that emulates a hardware device web app. The hardware uses a 2 factors authentication, which requires a Web Service client to send: Client Certificate and Username / password. We are using a Web Service provider which uses IIS 5.1 as HTTP server. IIS is set to require client certificate and Basic Authentication.
8
3642
by: Noel Volin | last post by:
Anyone who can help here is much appreciated. I am trying to programmatically log onto a website. I am using the code provided in VS for the AuthenticationManager Class example ( ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/cpref/html/frlrfSystemNetAuthenticationManagerClassTopic.htm ). I have also download and tried to use the following CsharpHttp executable in an attempt to find my problem:...
1
4023
by: thoducng | last post by:
I am writing some code to access share folder on a remote network. DirectoryInfo dicInfo = new DirectoryInfo("remoteNetwork\shareFolder"); if (dicInfo.Exists) { //application code followed
12
4178
by: Cecil | last post by:
Does this make sense for a logon table: CREATE TABLE Logon ( ID INT NOT NULL IDENTITY PRIMARY KEY, name VARCHAR(15) NOT NULL, password VARCHAR(15) NOT NULL ) GO CREATE UNIQUE INDEX IX_Logon_Name ON Logon(name)
0
1300
by: nemo | last post by:
I've included a list of username/password combinations in the Web.Config file and I've a simple aspx page with a username and password field for the users to log in. While the password field seems to be case sensitive, the username field is not. How can I force the username field to be case sensitive, i.e. match exactly what I have on the Web.config file? Do I have to use regular expressions? thanks Nemo
2
2991
by: minhtran | last post by:
Hi All Anyone knows how to code(ASP.NET, C#,VB.NET) as to send username and password to Proxy Server required to reach web page (That means you code as programming automatically get web page without enter username password again, cause of your coding has username and password "Our server asks username and password for external communication"). Thank you in advance for anyone read this question. Please, anyone has this idea to share, Thanks a...
0
9652
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10517
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10559
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10230
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9343
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7765
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6961
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5632
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5802
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.