Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: .htaccess and $ENV{

by sierrathedog04 (Hermit)
on Aug 09, 2001 at 00:36 UTC ( [id://103210]=note: print w/replies, xml ) Need Help??


in reply to .htaccess and $ENV{

Here is an example of a valid .htaccess file which we place in the directory that we wish to protect:

AuthName "Security Solutions Center HelpDesk" AuthType Basic AuthUserFile /dkdkdkdke/.htpasswd AuthGroupFile /ej34l4l4tkgk/.htgroup <Limit GET POST> require group Xdwp </LIMIT>
  1. It sounds as if your Apache webserver may not have its basic authentication turned on. The book Apache Webserver for Dummies has a good chapter on how to configure your access.conf and other files to require basic authentication, which is what would cause the password window to popup. You want to make sure that Authtype is set to basic and that other parameters are also correct.
  2. Since basic authentication is not turned on there is no one logging in, so REMOTE_USER is empty.
  3. To do anything nonstandard use the CPAN modules htpasswd and htgroup. We use them to allow administrators to generate new users online.
  4. I cannot think of a time when you would need to manipulate REMOTE_USER directly. Basic authentication checks it for you.
  5. If you do need to access REMOTE_USER then access it using CGI.pm's param function, e.g., $q->param('REMOTE_USER').

Replies are listed 'Best First'.
Re: Re: .htaccess and $ENV{
by echo (Pilgrim) on Aug 09, 2001 at 18:52 UTC
    don't use <Limit GET POST>!! It's a leftover from NCSA days. It will actually limit authentication to only those methods, GET and POST. A malicious user can craft a request using another method, e.g. PUT, and that request will bypass your authentication. Folks, don't use LIMIT containers unless you know what you're doing.

      As echo says, you shouldn't use the Limit directives in this case - it really means "only limit the http request methods...".

      Just to clarify, all you have to do is turn this:

      <Limit GET POST> require group Xdwp </LIMIT>

      into this:

      require valid-user

      The first example means that to log in successfully, the username submitted has to match the password of that user (obviously), and also be in the group "Xdwp". In the second example, all that has to happen is that the username has to be in the password file.

      This has absolutely nothing to do with perl though, so I'd suggest having a look at <a href=http://httpd.apache.org/docs/mod/core.html#requirethe docs on httpd.apache.org.

        Thank you echo and mischief for pointing out that I ought not to be using Limit directives. I will fix my .htaccess file.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://103210]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (9)
As of 2024-03-28 23:56 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found