Maybe I'm just blind today, but I've searched around and wasn't able to find the information.


I'm trying to find out if it would be possible to make a form that posts the login info for a directory that requires basic authentication so that you don't get prompted for the login details when it redirects you to the directory.

I hope that makes sense, I can try to clarify the question if it doesn't haha.

Are you trying to get a form to authorize a directory that is protected through .htaccess ? As far as I know this isn't possible because it would be insecure.

You cant do this with a post as basic authenication is done via http headers to which you do not have direct access. So basically you would always need the browser to prompt the user.

The only solution would be to embed the user login into the URL
http://user:password@hostname/directory
but certain browsers (IE7 to my knowledge) do not support this anymore due to security reasons.

Could you create a script that uses the login information and displays the directory bypassing Basic Auth?

I vaguely recall seeing a PHP script which does this on some script directory.

I'm aware of the insecurity, I was just wondering if it was even possible. thanks for the info though.

To use basic authentication without entering username and password into the browser prompt you'd need to fool the browser into supplying the Authorization header. That's always going to be browser-dependent and as zoid said, the user:password@host syntax no longer works for IE. (I think it was disabled by a security update to IE6 a couple of years ago).

What you could do is use form / session based authentication and then simulate basic authentication if the user goes to the protected directory directly, ie. your script would send a 401 with "WWW-Authenticate" header then read the "Authorization" header from the browser.

To the user that would appear identical to the system you describe but of course would be fairly complicated to achieve.

HTH