z28 has asked for the wisdom of the Perl Monks concerning the following question:

Howdy Monks,

I recently completed a small webbased database project. Different users needed different levels of access so I turned to htaccess (with $ENV{"REMOTE_USER"}) for a solution. It works great save for one major complaint. The root user sometimes needs to login to a 'lesser user' account. Right now they do this by closing their browser, opening a new browser, visiting the login URL, and entering a different user/pass. Does perl have a solution to this problem? A "login as different user" link would be very nice. I've looked on google and perlmonks for an answer but no one seems to have addressed it...



I'll be getting my first credit card in a few days and think I'll drop by the perl monks donation box. The people of this webpage are superior.



z28
  • Comment on Logoff/ReLogin to htaccess in one browser

Replies are listed 'Best First'.
Re: Logoff/ReLogin to htaccess in one browser
by dda (Friar) on Jul 10, 2002 at 06:32 UTC
    Where in google have you looked? I've found some interesting discussions here

    --dda

[reply]
Re: Logoff/ReLogin to htaccess in one browser
by hatter (Pilgrim) on Jul 10, 2002 at 11:17 UTC
    I gave up looking for solutions to this problem, once I moved over to using more complicated authentication (my current back end intrinsically allows a prived user to pretend to be a lesser one) So as you'd expect, a solution prevented itself late one night shortly after.

    What you need to do is force your webserver to report a 401 error (authentication required) This is the same as it normally reports when you try to access a protected directory, and your browser should then assume the credentials it previously supplied are no longer correct, and prompt you for username and password.

    I suggested this to a friend having similar difficulties finding how to do it, and he reckons it works just peachy, except for a bug in one version of IE5.

    the hatter

[reply]
[d/l]
      Good idea, hatter. But how would you do that? How would you force a 401? Can you do it by writing to the HTTP header directly? I'd love to see some code.

      LAI
      :eof
[reply]

        With CGI.pm, you ought to be able to do something like this untested code:

        use CGI
$q = new CGI;
print $q->header(-status=>'401 Authorization required');
# add code here to print the rest of the error document

        [download]
        __________
        He seemed like such a nice guy to his neighbors / Kept to himself and never bothered them with favors
        - Jefferson Airplane, "Assassin"
[reply]
[d/l]

        A link like this might do the job:

        <a href="http://invalid:user@www.site.com/cgi-bin/page.cgi">logout</a>
[reply]
[d/l]
Re: Logoff/ReLogin to htaccess in one browser
by Zaxo (Archbishop) on Jul 10, 2002 at 05:43 UTC

    Not a perl solution, but you could sidestep the problem by use of auth groups with different levels of privilege. You'll probably want to segregate your higher privilege forms in a subdirectory with a higher privilege group required. See mod_auth and friends in the Apache docs.

    After Compline,
    Zaxo

[reply]
Re: Logoff/ReLogin to htaccess in one browser
by rattusillegitimus (Friar) on Jul 10, 2002 at 05:08 UTC

    If I remember correctly, there isn't actually any way to log off someone who is logged in via the .htaccess password protection except by closing the browser.

    -rattus

    He seemed like such a nice guy to his neighbors / Kept to himself and never bothered them with favors
    - Jefferson Airplane, "Assassin"

[reply]
•Re: Logoff/ReLogin to htaccess in one browser
by merlyn (Sage) on Jul 10, 2002 at 15:12 UTC
    "BasicAuth" access protection is really simple, and in its simplicity, it fails for serious apps because:
    • There's no clean way to "log out", as you noticed.
    • The passwords are transmitted in the clear on each hit.
    • There's no "timeout": if you forget to log out when you walk away, the next user can use your credentials.
    One better solution is to use a cookie (or some other session tracking solution, like hidden fields, mangled URLs, or mangled hostnames), with a server-side database to handle the login authentication and timeout. I have an example of this in one of my columns. It's really only a few dozen lines of code. I think someone even wrapped it into a module, if I recall.

    -- Randal L. Schwartz, Perl hacker

[reply]
Re: Logoff/ReLogin to htaccess in one browser
by z28 (Sexton) on Jul 10, 2002 at 09:56 UTC
    Thanks for the link dda. It confirms bad news: to do this is to basically render htaccess pointless. :(

    The different realm thing could work if I only had one user/pass per realm, however, this is not the case.

    Perhaps I'll make a cgi-based system? Is there a javascript snippet that will close all windows and launch another?

[reply]
      Unfortunately a Javascript solution wouldn't work. JS runs in the context of your browser, as a child of your browser. So yes, it can close the browser instance, but then the process is dead so it can't do anything. And JS doesn't have the capability to make system calls, so it can't open a new instance before closing the current one.

      Come to think of it, it might be possible to write a small Java applet to open a separate browser instance, but the user would have to explicitly allow the applet to do this... and it's way more trouble than I would go to in your place.

      LAI
      :eof

[reply]
Re: Logoff/ReLogin to htaccess in one browser
by z28 (Sexton) on Jul 11, 2002 at 15:22 UTC

    A link sending an invalid user/pass back to the login page worked like a charm. Thank you for that good idea!

    On a related topic, I'm concerned about sending clear text passwords. The website holds patient medical records which should be as secure as possible. I was unaware the passwords were sent in clear text and wonder if there is a way (or option to toggle) to make them more secure?

[reply]

Back to Seekers of Perl Wisdom