Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I am having a problem with the %ENV hash, particularily with the REMOTE_USER. Whenever I enter a cgi script via a regular link, REMOTE_USER is an element of the hash. But if I enter that same page through a form submittal (i.e. a form on that page that submits to itself), REMOTE_USER is no longer an element in the %ENV hash. The rest of the hash is intact though.

Although REMOTE_USER is not an element, I don't get an unauthorized error. So the system still knows that I am in .htpasswd

I need to get the REMOTE_USER for some manipulations in MySQL.

Any ideas why REMOTE_USER disappears when entering a perl script via a form, but authentication is still valid?.

Replies are listed 'Best First'.
Re: $ENV{'REMOTE_USER'}
by Kanji (Parson) on Apr 30, 2002 at 15:53 UTC
    I don't get an unauthorized error. So the system still knows that I am in .htpasswd

    That isn't necessarily true: Apache (and presumably other web servers) allow you to limit authentication to a particular group of HTTP methods, and accessing the same URL with a method not in that group will bypass authentication entirely (so no unauthorized errors) and leave $ENV{'REMOTE_USER'} unset.

    However, you don't say how you're submitting your form, but if it is via POST (so that the form input doesn't appear in the URL after you submit) then I'd suggest taking a look at your configuration first to ensure you're also protecting GET requests (which a normal link would be).

        --k.


[reply]
Re: $ENV{'REMOTE_USER'}
by december (Pilgrim) on Apr 30, 2002 at 15:46 UTC
    Hi, If it really disappears (have you tried just dumping all environment variables?), my best guess is it has something to do with protection against cross-site scripting attacks in your httpd daemon...
[reply]
Re: $ENV{'REMOTE_USER'}
by tadman (Prior) on May 01, 2002 at 08:27 UTC
    It would be helpful to know if you're using mod_perl, since that could, conceivably, do some crazy stuff with %ENV. Or, of course, it could just be missing because the page isn't protected using that particular method, like Kanji suggested. Check your .htaccess or httpd.conf, or whatever you use to do this thing, presumably using a variation on Limit: 
    <Limit GET POST>
     Require valid-user
</Limit>

    [download]
    Anyway, what about using CGI.pm? 
    my $cgi = CGI->new();

my $remote_user = $cgi->remote_user();

    [download]
    If you are in a mod_perl environment, then it's a bit different: 
    my $r = Apache->request();

my $remote_user = $r->connection->user();

    [download]
    I think CGI.pm really digs around to get any required dirt on what REMOTE_USER might be. It's worth a shot.
[reply]
[d/l]
[select]
Re: $ENV{'REMOTE_USER'}
by hatter (Pilgrim) on May 01, 2002 at 12:16 UTC
    Another gotcha that's worth investigating - if /home/foo/public_html/mumble has .htaccess in it, but your script runs under a ScriptAlias (from /home/foo/cgi-bin for example) then it won't need or send the REMOTE_USER details. Try (from a freshly opened browser) going straight to the scripts URL and see if it asks for authentication - if it doesn't, then it's not protected by the scheme that protects the form that leads to it.

    the hatter
[reply]
[d/l]
      I am facing the same problem, actually it is described here. It turned out that variables are prefixed with REDIRECT_ prefix (check here for the answer) after applying RewriteRule.
[reply]

Back to Seekers of Perl Wisdom