Page 1 of 1

Apache authentication

Posted: Thu Apr 15, 2004 11:25 pm
by acerola2000
Here is what I am used to doing:

1 - Show the user a form, asking login and password.

2 - Validate login and pass in the database.

3 - Redirect the user to the protected dir (.htaccess+.htpasswd) with the login and pass in the URL (http://user:pass@www.mysite.com/protecteddir/), so that he doesn't get prompted for password again.

The problem is that IE doesn't support sending user:pass on the URL anymore. How can I redirect the user to a protected dir without displaying the login box?

I could do the other way around:

1 - Redirect the user to a protected dir
or
1 - Send headers to the user to force the login box to appear

2 - Use $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] to validate the user on the database.

But this solution is not acceptable. I must not use the browser's login box. I must use my form to authenticate him. And this solution would only work if the user:pass in the database were the same as the one in htpasswd, which is not the case.

Basically I need a workaround for this IE patch. I must somehow tell IE the user:pass it must use to access the protected dir.

Posted: Thu Apr 15, 2004 11:44 pm
by Pyrite
If you use Apache's .htaccess methods, the user only has to login once, and Apache keeps track of their session.

Posted: Thu Apr 15, 2004 11:45 pm
by Illusionist
Pyrite, i think what he wants, is to create his own login script, and not have the Apache login box come up

Posted: Thu Apr 15, 2004 11:51 pm
by Pyrite
I'm just saying he can do all that he wants without php/mysql/html needed.

http://www.apacheweek.com/features/userauth

Posted: Fri Apr 16, 2004 11:25 am
by acerola2000
No, I can't do all I want without php/mysql.

- I must check the username:password against the one stored in the database.

- I must log the logins.

- I must keep track of who is online.

- The username:password in the database is not the same as the one in htpasswd.

- The browser's login box must not pop-up. I must use my own form to log the user in.

Posted: Fri Apr 16, 2004 11:28 am
by acerola2000
Pyrite wrote:If you use Apache's .htaccess methods, the user only has to login once, and Apache keeps track of their session.
I think you are mistaken. Apache does not keep track of the session. The login:pass is sent every time by the browser to apache. I have never heard of apache sessions. Only php sessions.

Posted: Fri Apr 16, 2004 11:30 am
by acerola2000
To simplify what I want:

I must somehow redirect the user to a htpasswd protected dir without showing him the login:pass box. The same way I could before with:

http://login:pass@www.mysite.com/protecteddir/

Posted: Sat Apr 17, 2004 10:45 am
by Pyrite
You can use htaccess authentication with a database. But you're right, I did read your post wrong.