How to send username/password to htaccess?

deko

I want to use htaccess for authentication on my php site since I only have a
few users who need access to secure areas. So, I created a new directory
off public_html (secretDocs) and in that directory there is a .htaccess file
that looks like this:

AuthType Basic
AuthName "someuser"
AuthUserFile "/home/mydirectory/.htpasswds/secretDocs/passwd"
require valid-user
If a user tries to go directly to the url -
http://www.mysite.com/secretDocs/ - he will get a prompt for
username/password. But I want to use an SSL encrypted page with a form to
accept username/password and then redirect the user to the secure area if
the credentials are valid (otherwise send to a "login failed" page). So the
user goes to the login page first, enters credentials, then is redirected to
the secure page/directory.

Is there a way to forward the credentials entered on the form to htaccess?

Any suggestions welcome! Thanks in advance.

Jul 17 '05 #1

Follow Post Reply

37528

deko

> Is there a way to forward the credentials entered on the form to htaccess?

I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/

I could not get it to work on my site...

If it did work, I'm wondering if I do this from the SSL page if it would be
more secure?

Jul 17 '05 #2

deko

perhaps I just need to use a basic authentication script. I found this:

http://www.krizleebear.de/phpaccess/...x.php?pageID=1

but would welcome other recommendations.

Jul 17 '05 #3

Wildpeaks

> I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/
I could not get it to work on my site...

It has been desactivated (since IE6 i think remembering) as it
was a security risk as the password could be read in server logs.

Jul 17 '05 #4

Michael Fesser

.oO(deko)

Is there a way to forward the credentials entered on the form to htaccess?

I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/

Username and password are not allowed in HTTP URLs.

Micha

Jul 17 '05 #5

Sadara

Michael Fesser wrote:

.oO(deko)

Is there a way to forward the credentials entered on the form to htaccess?

I read somewhere that you should be able to send like this:

http://username:pa******@www.website...curedirectory/

Username and password are not allowed in HTTP URLs.

Micha

IIS (latest versions) will simply strip out the username and password
data, making this solution impossible, but other servers, including
apache 1.3.x, will still cooperate fully.

but: although it's possible, it's still pretty insecure!!

sadara

Jul 17 '05 #6

Michael Fesser

.oO(Sadara)

IIS (latest versions) will simply strip out the username and password
data, making this solution impossible, but other servers, including
apache 1.3.x, will still cooperate fully.
Yep, but I wouldn't rely on it. Even if widely used and probably working
on many servers it's explicitly not allowed by RFC.
but: although it's possible, it's still pretty insecure!!

Insecure and unreliable.

Micha

Jul 17 '05 #7

deko

> Insecure and unreliable.

yep, that's for sure. If you can recommend a basic php authentication
script, please let me know.

Jul 17 '05 #8

Alan Little

Carved in mystic runes upon the very living rock, the last words of deko
of comp.lang.php make plain:

If a user tries to go directly to the url -
http://www.mysite.com/secretDocs/ - he will get a prompt for
username/password. But I want to use an SSL encrypted page with a
form to accept username/password and then redirect the user to the
secure area if the credentials are valid (otherwise send to a "login
failed" page). So the user goes to the login page first, enters
credentials, then is redirected to the secure page/directory.

Is there a way to forward the credentials entered on the form to
htaccess?

When your browser requests a page that's behind http authentication, the
server returns a 401. The browser then looks to see if it has a user name
and password for that realm. If it does, it re-sends the request with the
u/p attached; if it doesn't, you get the little popup asking for them.
So, basically what you're asking is if there's a way to have a PHP script
capture the u/p and have the browser know them thereafter. Unfortunately,
there is no way. If the PHP script captures the auth info, it thereafter
has to be responsible for controlling access.

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/

Jul 17 '05 #9

deko

> When your browser requests a page that's behind http authentication, the

server returns a 401. The browser then looks to see if it has a user name
and password for that realm. If it does, it re-sends the request with the
u/p attached; if it doesn't, you get the little popup asking for them.
So, basically what you're asking is if there's a way to have a PHP script
capture the u/p and have the browser know them thereafter. Unfortunately,
there is no way. If the PHP script captures the auth info, it thereafter
has to be responsible for controlling access.

Thanks for the clear explanation. I've begun my search for a PHP
authentication script.

Jul 17 '05 #10

How to send username/password to htaccess?

This discussion thread is closed

Similar topics