loggin into an Apache htprotected folder via CGI script.

thunders has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to find a way to give a user access to an Apache htaccess protected directory without giving them an idea of what the password to that directory is. I found some code to get a page from such a directory in the lwpcook documentation.

sub pass_isValid{
  my $ua = LWP::UserAgent->new;
  my $req = HTTP::Request->new(POST =>'http://mysite.com/secure/test.h
+tml');
  $req->authorization_basic('htusername', 'htpassword');
  print $ua->request($req)->as_string;
}
[download]

But thats not really what I want. I'd like to do the authentication from a script, redirect the user, or provide a link to a file in that folder, and allow them to freely navigate to other files in that protected folder, without them ever seeing or the apache login screen

Comment on loggin into an Apache htprotected folder via CGI script. Download Code

Replies are listed 'Best First'.
Re: loggin into an Apache htprotected folder via CGI script. by Aristotle (Chancellor) on Jun 27, 2002 at 17:54 UTC
I think you are confusing the responsibilities here. The "login screen" is not Apache's doing. The process goes like this: Browser requests page Server says "this is part of area XYZ and is password protected" Browser asks user: What's the password for area XYZ please? User types password Browser remembers password and area and uses it whenever server says "this is area XYZ" In other words, even though you don't get asked the password anymore once you've typed it, this is not because the server has "authenticated" you. It is because your browser is sending the password along with every single request. So if you want users not to see the password dialog, you have to tell their browser the password, and thus the user can still find out what it is. Makeshifts last the longest.	[reply]
Re: loggin into an Apache htprotected folder via CGI script. by Zaxo (Archbishop) on Jun 28, 2002 at 04:54 UTC
I don't understand something here. What makes the password more valuable than what it's protecting? After Compline, Zaxo	[reply]
Re: loggin into an Apache htprotected folder via CGI script. by flocto (Pilgrim) on Jun 27, 2002 at 21:14 UTC
Hm, having played with this before I can tell you that it's not all that easy :( For a successfull login you need three things: a username, a password and a realm. The problem is that neither password nor realm is ever seen by the CGI script. So if you really want to do it yourself you have to use mod_perl. I recommend to have a look at Apache::DBIauth which realises authorisation with (mod_)perl. Sorry that I can't tell you much more than it's hard and possibly impossible to be done with pure CGI. You can experiment with only one file in your directory having the 'require' option but the entire directory being the realm. If you're lucky apache keeps on authorizing.. But to be honest I can't imagine a scenaio with this kind of setup being positively neccessary.. Think about saving authorized IPs together with a timeout to a file/database or something like that. (This will hardly work for high-traffic sites..) Hope I was of any help.. Regards, -octo	[reply]
Re: loggin into an Apache htprotected folder via CGI script. by atcroft (Abbot) on Jun 27, 2002 at 18:36 UTC
If I am understanding what you are trying to do, you may wish to look at the credentials() function in LWP::UserAgent. You can find some information regarding the function in Chapter 5 of Web Client Programming in Perl, which is available online thru O'Reilly and Associates's Open Books Project. If I am wrong on what you are trying to do above, the only other way I see it is to have the script they go thru return the contents of the page it logs into (with the authentication information) with all links rewritten so as to pass thru the script, so that the script acts as a proxy for retrieving the directory. Update: You may want to look for either an Apache module or mod_perl solution to managing access to that content. Just a thought.	[reply]
Re: Re: loggin into an Apache htprotected folder via CGI script. by thunders (Priest) on Jun 27, 2002 at 18:59 UTC
Ok, I'd best clarify. How I do this is not set in stone, I'm totally open to other options. My goal is to have a directory full of stuff that isn't easy for just anyone to access. I already well on my towards implementing a system where people apply to look at some information, their application is stored in a database and potentially approved. In this same database I have an encrypted password for this user. Ok, so an administrative type sets a flag in the database, now we have some approved users, they have usernames and a password. These users can now log in via a CGI login screen. Is there a way to allow only these logged on users access to certain documents?(ideally a bunch of static HTML pages and a few dynamic cgi pages)	[reply]