cosmicperl has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,
  I've been playing with .htaccess. I've figured I can use $ENV{'REMOTE_USER'} to get the logged in users ID. But there is something that still puzzles me. I've seen sites that use a standard HTML login form to login users to a .htaccess protected directory so that they don't get the standard browser login window pop up. I've no idea how to code a script to do this. Can someone please shed some light?

Thanks

P.S. How could I also log a user out??

Update: I just found http://tools4webmasters.com/t4wsentry.htm which appears to do it. So it is possible. If no one knows exactly how I might just buy it to find out.

Replies are listed 'Best First'.
Re: Perl and htaccess
by Joost (Canon) on Jul 01, 2007 at 23:12 UTC
    I'm not sure that's possible, since basic authentication at least requires an authentication challenge to be sent to the browser, which AFAIK always results in the login pop-up. the relevant RFC is here. A short explanation is here

    If you implement your own authentication scheme you can do whatever you want, usually by binding a login (from a standard HTML form) to a session. See for example CGI::Session.

    Update/note: some browsers allow you to use URLs like http://username:password@www.example.com to automatically log the user in. You may be able to do something with that.

    Update2: if you use digest authentication you may be able to invalidate a current login (thus logging a user out again). You can't do that at all using Basic Authentication, since the credential sent to the server is just a base64 encoded user:password string and never changes unless the username and/or password changes, and the browser will remember those until you restart it.

    "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]
[d/l]
      Joost, how would you go about to avoid another standard login-pop-up when you invalidate the digest login?
[reply]
Re: Perl and htaccess
by hangon (Deacon) on Jul 02, 2007 at 08:51 UTC

    There is no way to do this provided in the http specification. But being ever so stubborn, I've agonized more than once on how to get around this, and even tried some rather bizarre ideas that did not work out. Looking at the site you referenced in your update, I think this bullet point is the key:

    • Effectively eliminates the login popup box; works with recent Internet Explorer updates.

    This implies that something is different about newer versions of MSIE that provides a way to bypass the standard browser login method. They do not specifically mention any other browsers that this will work with. Anyway, I'm still curious, so if you figure out what they're doing please post an update.

[reply]
Re: Perl and htaccess
by clinton (Priest) on Jul 02, 2007 at 13:15 UTC
[reply]
Re: Perl and htaccess
by scorpio17 (Canon) on Jul 02, 2007 at 13:11 UTC

    You should take a look at mod_perl, a very powerful plugin for the Apache web server. The little popup dialog you get when accessing protected areas of a website is the default "Basic Authentication" handler. But with mod_perl you can write your own handler, and request that it be used for authentication of certain areas rather than the default.

    Here are some links to get you started:

    http://perl.apache.org/

    http://www.modperl.com/

    http://www.modperlbook.org/html/index.html

[reply]
Re: Perl and htaccess
by naikonta (Curate) on Jul 02, 2007 at 14:53 UTC
    User authentication with Apache .htaccess and form-based login are two different, unrelated techniques, though you can use the .htpasswd content as database for your form-based authentication. Of course, you can still use .htaccess to restrict access based on IP addresses or host/domain names, before even reaching the login form. I guess that's what the site you are referring to means about Works with - and dramatically enhances - your server's basic htaccess protection.

    If you use the .htaccess to authenticate users by enabling the require valid-user directive as well as providing login form, then the users need to authenticate twice.

    Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!

[reply]
[d/l]
Re: Perl and htaccess
by pajout (Curate) on Jul 02, 2007 at 17:55 UTC
    Cosmicperl,
    two points:

    1. Apache features
    Basic and/or digest authentication - afaik, there is no way how to change browser behavior when auth credentials requested by Apache. Additionally, there is no way how to command browser to forgot used credentials (log out).

    2. Proprietary features
    it is possible and relatively easy to do, but it depends on your application framework (I mean modperl || php || cgi || ...). I can imagine mod_perl PerlHandler, which is the first in the handler chain, and which checks some cookie containing session ID.
    If unsatisfied, prints the html login page and AVOIDS next handler in the chain to process.
    If unsatisfied but login and password sent, checks it against rdbms or file, creates unique session id and sets related cookie.
    If satisfied, does nothing special, just leaves processing to the next handler of the chain.
    Update: I have such handler somewhere, so, let me know if you (or somebody else) are interested in...

[reply]
Re: Perl and htaccess
by sgifford (Prior) on Jul 03, 2007 at 15:19 UTC
    Hi cosmicperl,

    I often use modules based on Apache::AuthCookie to get this effect. Instead of your browser remembering HTTP Auth information, it remembers a cookie. Cookies are much more flexible than HTTP Auth: they can be deleted for logout and obtained through a variety of means, including an HTML form.

    Good luck!


    --
    sgifford's Web page
[reply]

Back to Seekers of Perl Wisdom