How can I tell Apache the valid user/password entered by a HTML form so that the authentication window does not pop up?
Jul 1st, 2002 18:42
Chris Earle, Marco Steinacher, Falk Lucius,
You could write a script that redirects the browser to
Where user and password are the values that the user typed in your
Then the browser will use the specified user/password without popping
up the auth. window.
Please note that this is not a very elegant solution and that, in some
cases, the plain-text password is visible in the browser's URL text-
field after login.
Example (with PHP):
1) The Form-Document:
<form action=authredirect.php3 method=post>
<input type=password name=pwd><br>
<!-- Redirect to this url: -->
<input type=hidden name=url value="foo.bar/secure_dir/file.html">
2) The Redirect-Script (authredirect.php3)
<!-- Redirect automatically -->
document.location.href='<? echo "http://".$user.":".$pwd."@".$url; ?>';
<!-- Redirect by link -->
<a href=<? echo "http://".$user.":".$pwd."@".$url; ?>>
Please click here to log in.
COMMENT: This seems to work as long as one is aware that a browser
MS Internet Explorer converts the "user:password" prefix to the URL
into lower case characters, so the .htpasswd file should also contain
only lower case user names and encoded lower case passwords.
But, as far as tests have proved, this method DOES NOT WORK with the
Netscape Navigator because here an "invalid URL" error 400 is the
So, the question remains: is there a method to achieve the desired
result that would work with ALL browsers?
COMMENT ON COMMENT: The URL-format "http://user:pass@host/..." works
fine with my Netscape Navigator 4.08, maybe older versions can't cope
COMMENT ON COMMENT (2): Netscape (known as "Nutscrape" by many, with
good reason) is a very poorly kept browser and a lot of things don't
work with it (for instance, the a, a:hover, a:visited in CSS do not
work in Netscape, at least not older ones. If you want to work around
that (however annoying it is) you can make a class such
as .txtlink, .txtlink:hover, .txtlink:visited and add that to all
links (<A HREF="..." CLASS="txtlink">)).
I cannot understand why people love this browser (Netscape), Mozilla
is great and as a web designer, it (Mozilla) makes you design/program
better sites, because it shows things properly. IE is also very good,
even though it does not promote the best programming, at least it
supports all the stuff properly.
Back to the real reason I'm commenting: even though the Authorization
window is an annoyance, it is much better than risking the link being
shown off with their username and password. Also, as it was pointed
out, IE puts it to lowercase, which also kills case sensitive log
ins. I'm not really sure what to tell you about getting around the
Authorization Window, but it beats hurting security in my opinion.