in reply to Mimicking htaccess user authentication

This is a topic that has interested me as well. Although I havent had the time to fully explore it, I think you may want to start by looking into apache::htpasswd. It looks like it provides a good deal of the abilities that you're looking for. Plus, I believe its written by one of our own.
You may also want to read through this which seems to provide some external info on the topic you're interested in.

humbly -c

  • Comment on Re: Mimicking htaccess user authentication

Replies are listed 'Best First'.
Re: Re: Mimicking htaccess user authentication
by hotyopa (Scribe) on Aug 02, 2001 at 14:05 UTC

    Thanks c, but...

    I don't have apache::htpasswd module installed, and as I said above, can't install it. Its not really the crux of the problem anyway, as I can handle parsing the htpasswd file.

    What really concerns me is how to capture the username and password entered in the authentication dialog box. I'll explain in a bit more depth:

    I activate an authentication dialog box by sending the following HTTP headers, using CGI.pm:

    print $query->header('WWW-Authenticate: Basic realm="Private"'),
      $query->header('HTTP/1.0 401 Unauthorised');

    [download]

    Now, if I were using PHP (!), the user name and password would be stored in $PHP_AUTH_USER and $PHP_AUTH_PW, which I would then try to match against the htpasswd file.

    Also, I use these aforementioned variables in PHP with the isset() function to determine whether the user has logged in yet.

    Anything php can do, Perl can do better?.

    Of course a proper implementation of htaccess security would not use isset(), but would send some sort of success message back to the client browser, causing the $REMOTE_USER environment variable to be set. But now I am out of my depth.

    Any suggestions, O wise ones?

    *~-}hotyopa{-~*

[reply]
[d/l]

      Something I've never been able to figure out, and is either because I'm missing something quite obvious, or because there really is no answer is: Why does PHP bother to have set $PHP_AUTH_USER anyway? As far as I can tell, it's always the same as $REMOTE_USER.

      As for getting the password, I don't think that's necessary (although I'm sure there's some way you could do it). $REMOTE_USER is only ever going to be set it the user has logged in successfully, so all you need to do is check whether $REMOTE_USER has been set or not - the existence of $REMOTE_USER itself is the "success message".

[reply]

In Section Seekers of Perl Wisdom