Perl interface to .htaccess

awohld has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: Perl interface to .htaccess by tachyon (Chancellor) on Oct 06, 2004 at 06:10 UTC
You can do it but it is a bit of a hack. First you need to know you can login to a password protected dir using the syntax: `http://username:password@domain.com/protected/` [download] If you have a form with params 'username' and 'password' submit to this script: `#!/usr/bin/perl use CGI; my $url = 'domain.com/protected/redir.htm'; my $q = CGI->new(); my $login_url = sprintf "http://%s:%s\@$url", $q->param('username'), $q->param('password'); print $q->header; print <<HTML; <head> <title>Logging in.....</title> <meta http-equiv="refresh" content="0; url=$login_url"> <script>window.location='$login_url'</script> </head> HTML` [download] then the submitted username and password will be crafted into the necessary URL and automatically submitted by the browser (we can't just use a standard redirect as the browser has to be in on it). The net result is that the user will be logged in (if the supplied credentials are valid). The only problem with this is that now username:pass will be visible in the URL in the Address bar. You can cure that by pointing the login url redirect to a secondary redirect page (redir.htm in the example). Here you can redirect anywhere in the protected area, but as the user is now logged in we don't need the username:password@ part anymore. `<head> <title>Redirecting.....</title> <meta http-equiv="refresh" content="0; url=http://domain.com/protected +/wherever.htm"> <script>window.location='http://domain.com/protected/wherever.htm</scr +ipt> </head>` [download] cheers tachyon	[reply] [d/l] [select]
Re^2: Perl interface to .htaccess by muntfish (Chaplain) on Oct 06, 2004 at 08:42 UTC
First you need to know you can login to a password protected dir using the syntax: `http://username:password@domain.com/protected/` I'm not sure that this will work on fully-patched versions of IE. Didn't Microsoft disable this to protect against certain "phishing" scams? Update: Found this link on the MS website that gives more details: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489 s^^unp(;75N=&9I<V@`ack(u,^;s\|$.+\`\|"$`$'\"$&\"$"\|ee;/m.+h/&&print$&	[reply] [d/l] [select]
Re^2: Perl interface to .htaccess by maard (Pilgrim) on Oct 06, 2004 at 11:00 UTC
but as the user is now logged in we don't need the username:password@ part anymore. Why this works? For access to protected area to succeed browser should post Authorization header, isn't it? If we no longer post username and password in url, does this mean that browser silently begins to use Authorization header? Can you please explain or give an url to read more on it?	[reply]
Re^3: Perl interface to .htaccess by iblech (Friar) on Oct 06, 2004 at 12:36 UTC
Yes, exactly. Most browser cache the login information and send the appropriate Authorization header on each request. BTW, IIRC Mozilla Firefox will display a messagebox "Do you really want to login using the following user/pass-combination" if redirected to `http://user:pass@.../`.	[reply]
Re: Perl interface to .htaccess by sgifford (Prior) on Oct 06, 2004 at 05:30 UTC
I've used Apache::AuthCookie and Apache::AuthCookieDBI to accomplish this. It simulates HTTP AUTH with cookies, which gives more flexibility at the cost of some security. So far I've found it to be an acceptable trade-off, and a very useful module.	[reply]
Re: Perl interface to .htaccess by astroboy (Chaplain) on Oct 06, 2004 at 10:46 UTC
Is mod_perl an option, or are you using straight CGI? If the former is a viable alternative, then you may be able to intercept the request in the authorization and/or authentication phases and then decide what to do with the request - direct the user to a standard HTML login page, or let them through	[reply]


Pathologically Eclectic Rubbish Lister
	PerlMonks