yudel has asked for the wisdom of the Perl Monks concerning the following question:

For a web-based database program I'm writing, I'm using basic authentication to give different users different permissions. I had assumed that $ENV{"REMOTE_USER"} would consistently reflect who the user was. However, it seems that my program is erasing that information so that $ENV{"REMOTE_USER"} returns empty sometimes. I don't have a $ENV{"REMOTE_USER"}="" line in my program. What else could be having that effect?

Edit: chipmunk 2001-09-03

Replies are listed 'Best First'.
Re: Where did my $ENV{"REMOTE_USER"} go?
by yudel (Novice) on Sep 04, 2001 at 03:34 UTC
    OK, here's clue #1:

    The problem only strikes when the program is called with the POST method.

    When it calls itself with GET, everything is fine.

[reply]
      Your .htaccess (or httpd.conf) is probably set to only authenticate GETs not POSTs. Fix this and your REMOTE_USER will be fixed.

      Something like the following should fix you up: 

        <Directory /your/dir/here>
    AuthUserFile /some/path/htpasswd
    AuthType Basic
    AuthName PasswordRequired
    <Limit GET POST>
      require valid-user
    </Limit>
  </Directory>

      [download]

      This is not really a perl problem but an apache problem (feature really) that GET and POST (and PUT, etc) can all be authenticated independently.

      -monkfish (The Fishy Monk :)

[reply]
[d/l]
        Oops!

        Thank you!

[reply]
Re: Where did my $ENV{"REMOTE_USER"} go?
by Sifmole (Chaplain) on Sep 04, 2001 at 16:12 UTC
    I had assumed that $ENV{"REMOTE_USER"} would consistently reflect who the user was.

    You can not assume that this is true. If your application is not extrememly sensitive then the risk factor may be acceptable. However, users can change what is reported by the "REMOTE_USER" environment variable.
    Just wanted to make sure you knew that.

[reply]

Back to Seekers of Perl Wisdom