hotyopa has asked for the wisdom of the Perl Monks concerning the following question:

Hi Robe Wearers,

I have just moved to a new web server which for whatever reason doesn't support .htaccess user authentication. But, after reading an article on Zend about User Authentication using PHP, I wondered whether you couldn't do the same thing in Perl - authentication by sending the requisite HTTP headers, checking user environment variables and manually parsing the .htpasswd file

Does anyone think that this is a viable proposition? The Zend article gives me the HTTP headers to send to get the login box, but I'm not sure about where to look to see if someone is logged in or not, and if so where to find their username and password...

(A note: its not my webserver, so I can't install any modules, and its 5.00503, but CGI.pm is installed)

*~-}hotyopa{-~*

Replies are listed 'Best First'.
Re: Mimicking htaccess user authentication
by Cubes (Pilgrim) on Aug 02, 2001 at 14:47 UTC
    You can find out all about HTTP authentication in RFC 2617. You can find the user's authentication info in the HTTP header fields of their request after your "Unauthorized" response status.

    CGI.pm has an http() function which should allow you to grab arbitrary headers from the request.

[reply]
Re: Mimicking htaccess user authentication
by c (Hermit) on Aug 02, 2001 at 03:08 UTC
    This is a topic that has interested me as well. Although I havent had the time to fully explore it, I think you may want to start by looking into apache::htpasswd. It looks like it provides a good deal of the abilities that you're looking for. Plus, I believe its written by one of our own.
    You may also want to read through this which seems to provide some external info on the topic you're interested in.

    humbly -c

[reply]

      Thanks c, but...

      I don't have apache::htpasswd module installed, and as I said above, can't install it. Its not really the crux of the problem anyway, as I can handle parsing the htpasswd file.

      What really concerns me is how to capture the username and password entered in the authentication dialog box. I'll explain in a bit more depth:

      I activate an authentication dialog box by sending the following HTTP headers, using CGI.pm:

      print $query->header('WWW-Authenticate: Basic realm="Private"'),
      $query->header('HTTP/1.0 401 Unauthorised');

      [download]

      Now, if I were using PHP (!), the user name and password would be stored in $PHP_AUTH_USER and $PHP_AUTH_PW, which I would then try to match against the htpasswd file.

      Also, I use these aforementioned variables in PHP with the isset() function to determine whether the user has logged in yet.

      Anything php can do, Perl can do better?.

      Of course a proper implementation of htaccess security would not use isset(), but would send some sort of success message back to the client browser, causing the $REMOTE_USER environment variable to be set. But now I am out of my depth.

      Any suggestions, O wise ones?

      *~-}hotyopa{-~*

[reply]
[d/l]

        Something I've never been able to figure out, and is either because I'm missing something quite obvious, or because there really is no answer is: Why does PHP bother to have set $PHP_AUTH_USER anyway? As far as I can tell, it's always the same as $REMOTE_USER.

        As for getting the password, I don't think that's necessary (although I'm sure there's some way you could do it). $REMOTE_USER is only ever going to be set it the user has logged in successfully, so all you need to do is check whether $REMOTE_USER has been set or not - the existence of $REMOTE_USER itself is the "success message".

[reply]

Back to Seekers of Perl Wisdom