faqts : Computers : Programming : Languages : PHP : Common Problems : Security

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

31 of 41 people (76%) answered Yes
Recently 6 of 10 people (60%) answered Yes

Entry

How can I tell Apache the valid user/password entered by a HTML form so that the authentication window does not pop up?

Jul 1st, 2002 18:42
Chris Earle, Marco Steinacher, Falk Lucius, 


You could write a script that redirects the browser to 
http://user:password@foo.bar/secure_dir/.
Where user and password are the values that the user typed in your 
form.
Then the browser will use the specified user/password without popping 
up the auth. window.

Please note that this is not a very elegant solution and that, in some 
cases, the plain-text password is visible in the browser's URL text-
field after login.

Example (with PHP):
*******

1) The Form-Document:
...
<form action=authredirect.php3 method=post>
<input name=user><br>
<input type=password name=pwd><br>
<input type=submit>
<!-- Redirect to this url: -->
<input type=hidden name=url value="foo.bar/secure_dir/file.html">
</form>
...


2) The Redirect-Script (authredirect.php3)

...
<!-- Redirect automatically -->
<script language=javascript>
document.location.href='<? echo "http://".$user.":".$pwd."@".$url; ?>';
</script>
...
...
<!-- Redirect by link -->
<a href=<? echo "http://".$user.":".$pwd."@".$url; ?>>
Please click here to log in.
</a>
...

COMMENT: This seems to work as long as one is aware that a browser 
like 
MS Internet Explorer converts the "user:password" prefix to the URL 
into lower case characters, so the .htpasswd file should also contain 
only lower case user names and encoded lower case passwords.
But, as far as tests have proved, this method DOES NOT WORK with the 
Netscape Navigator because here an "invalid URL" error 400 is the 
result.
So, the question remains: is there a method to achieve the desired 
result that would work with ALL browsers?

COMMENT ON COMMENT: The URL-format "http://user:pass@host/..." works 
fine with my Netscape Navigator 4.08, maybe older versions can't cope 
with it.

COMMENT ON COMMENT (2): Netscape (known as "Nutscrape" by many, with 
good reason) is a very poorly kept browser and a lot of things don't 
work with it (for instance, the a, a:hover, a:visited in CSS do not 
work in Netscape, at least not older ones.  If you want to work around 
that (however annoying it is) you can make a class such 
as .txtlink, .txtlink:hover, .txtlink:visited and add that to all 
links (<A HREF="..." CLASS="txtlink">)).

I cannot understand why people love this browser (Netscape), Mozilla 
is great and as a web designer, it (Mozilla) makes you design/program 
better sites, because it shows things properly.  IE is also very good, 
even though it does not promote the best programming, at least it 
supports all the stuff properly.

Back to the real reason I'm commenting: even though the Authorization 
window is an annoyance, it is much better than risking the link being 
shown off with their username and password.  Also, as it was pointed 
out, IE puts it to lowercase, which also kills case sensitive log 
ins.  I'm not really sure what to tell you about getting around the 
Authorization Window, but it beats hurting security in my opinion.