Re: Perl interface to .htaccess

You can do it but it is a bit of a hack. First you need to know you can login to a password protected dir using the syntax:

http://username:password@domain.com/protected/
[download]

If you have a form with params 'username' and 'password' submit to this script:

#!/usr/bin/perl
use CGI;
my $url = 'domain.com/protected/redir.htm';
my $q = CGI->new();
my $login_url = sprintf "http://%s:%s\@$url", 
                    $q->param('username'), $q->param('password');
print $q->header;
print <<HTML;
<head>
<title>Logging in.....</title>
<meta http-equiv="refresh" content="0; url=$login_url">
<script>window.location='$login_url'</script>
</head>
HTML
[download]

then the submitted username and password will be crafted into the necessary URL and automatically submitted by the browser (we can't just use a standard redirect as the browser has to be in on it). The net result is that the user will be logged in (if the supplied credentials are valid). The only problem with this is that now username:pass will be visible in the URL in the Address bar. You can cure that by pointing the login url redirect to a secondary redirect page (redir.htm in the example). Here you can redirect anywhere in the protected area, but as the user is now logged in we don't need the username:password@ part anymore.

<head>
<title>Redirecting.....</title>
<meta http-equiv="refresh" content="0; url=http://domain.com/protected
+/wherever.htm">
<script>window.location='http://domain.com/protected/wherever.htm</scr
+ipt>
</head>
[download]

cheers

tachyon

Comment on Re: Perl interface to .htaccess Select or Download Code

Replies are listed 'Best First'.
Re^2: Perl interface to .htaccess by muntfish (Chaplain) on Oct 06, 2004 at 08:42 UTC
First you need to know you can login to a password protected dir using the syntax: `http://username:password@domain.com/protected/` I'm not sure that this will work on fully-patched versions of IE. Didn't Microsoft disable this to protect against certain "phishing" scams? Update: Found this link on the MS website that gives more details: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489 s^^unp(;75N=&9I<V@`ack(u,^;s\|$.+\`\|"$`$'\"$&\"$"\|ee;/m.+h/&&print$&	[reply] [d/l] [select]
Re^2: Perl interface to .htaccess by maard (Pilgrim) on Oct 06, 2004 at 11:00 UTC
but as the user is now logged in we don't need the username:password@ part anymore. Why this works? For access to protected area to succeed browser should post Authorization header, isn't it? If we no longer post username and password in url, does this mean that browser silently begins to use Authorization header? Can you please explain or give an url to read more on it?	[reply]
Re^3: Perl interface to .htaccess by iblech (Friar) on Oct 06, 2004 at 12:36 UTC
Yes, exactly. Most browser cache the login information and send the appropriate Authorization header on each request. BTW, IIRC Mozilla Firefox will display a messagebox "Do you really want to login using the following user/pass-combination" if redirected to `http://user:pass@.../`.	[reply]