apache authentication

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello, Using Apache Basic Authentication under win32 to restrict access to portions of a site. When my users have entered their username/password they can move freely in and out of the password protected area until they exit their browser. Re starting the browser then starts another session with a new login required. Apache seems to keep track of user sessions but doesn't use cookies. I want to respond to user requests based on who is making the request. Can I get this information from Apache for use in my cgi scripts and if so how? Thanks

Comment on apache authentication

Replies are listed 'Best First'.
Re: apache authentication by amw1 (Friar) on Jan 10, 2005 at 18:22 UTC
Apache (based on CGI standards) publishes the name of the remote user in the environment the CGI is executed in. Looking at `$ENV{'REMOTE_USER'}` [download] will give you the username as long as they are logged in. Update: Chaged % to $ ... stupid typos	[reply] [d/l]
Re: apache authentication by CountZero (Bishop) on Jan 10, 2005 at 20:48 UTC
The webserver has of course no innate notion of sessions. It will have a user-name in the environment, based upon the log-in and password the users provided. For all Apache cares, you could have multiple users using the same user-name and password (unless you specifically check that in your scripts). What you seem to see as "tracking" user sessions is your clients browsers remembering the "realm" it enters and sending automatically the username + password when Apache asks for authentication (which it will do each time you request a restricted web-page). If you use Firefox and you have installed the WebDeveloper extension, you can clear the HTTP authentication and your browser will ask you to input the username and password again. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]
Re: apache authentication by ikegami (Patriarch) on Jan 10, 2005 at 19:33 UTC
Apache seems to keep track of user sessions but doesn't use cookies. Nope, no session, at least not in the server. The web browser simply sends the username and password with each request. and oh! `$ENV{'REMOTE_USER'}` works better than amw1's `%ENV{'REMOTE_USER'}` :)	[reply] [d/l] [select]