Re: Re: Mimicking htaccess user authentication

Thanks c, but...

I don't have apache::htpasswd module installed, and as I said above, can't install it. Its not really the crux of the problem anyway, as I can handle parsing the htpasswd file.

What really concerns me is how to capture the username and password entered in the authentication dialog box. I'll explain in a bit more depth:

I activate an authentication dialog box by sending the following HTTP headers, using CGI.pm:

print $query->header('WWW-Authenticate: Basic realm="Private"'),
      $query->header('HTTP/1.0 401 Unauthorised');
[download]

Now, if I were using PHP (!), the user name and password would be stored in $PHP_AUTH_USER and $PHP_AUTH_PW, which I would then try to match against the htpasswd file.

Also, I use these aforementioned variables in PHP with the isset() function to determine whether the user has logged in yet.

Anything php can do, Perl can do better?.

Of course a proper implementation of htaccess security would not use isset(), but would send some sort of success message back to the client browser, causing the $REMOTE_USER environment variable to be set. But now I am out of my depth.

Any suggestions, O wise ones?

*~-}hotyopa{-~*

Comment on Re: Re: Mimicking htaccess user authentication Download Code

Replies are listed 'Best First'.
Re: Re: Re: Mimicking htaccess user authentication by mischief (Hermit) on Aug 02, 2001 at 17:28 UTC
Something I've never been able to figure out, and is either because I'm missing something quite obvious, or because there really is no answer is: Why does PHP bother to have set $PHP_AUTH_USER anyway? As far as I can tell, it's always the same as $REMOTE_USER. As for getting the password, I don't think that's necessary (although I'm sure there's some way you could do it). $REMOTE_USER is only ever going to be set it the user has logged in successfully, so all you need to do is check whether $REMOTE_USER has been set or not - the existence of $REMOTE_USER itself is the "success message".	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Mimicking htaccess user authentication
by mischief (Hermit) on Aug 02, 2001 at 17:28 UTC

Something I've never been able to figure out, and is either because I'm missing something quite obvious, or because there really is no answer is: Why does PHP bother to have set $PHP_AUTH_USER anyway? As far as I can tell, it's always the same as $REMOTE_USER.

As for getting the password, I don't think that's necessary (although I'm sure there's some way you could do it). $REMOTE_USER is only ever going to be set it the user has logged in successfully, so all you need to do is check whether $REMOTE_USER has been set or not - the existence of $REMOTE_USER itself is the "success message".

[reply]