Hi,

Instead of having the standard pop-up asking for a username and password, I would like to use a form on a normal web page. I know there is a javascript script that can handle this, but is there any other way of doing it?

I don't like the javascript solution because you can see the username and password passed in the url.

So to re-cap, I'm using htaccess/htpasswd and don't want to use a pop-up window - I want to use a web page based login form. Maybe this could be done using Perl/CGI? I would be willing to pay a small amount for such a script :-)

Thanks

You can post your request in the jobs/related forum under advertising. Such a script could also be done quite easily in PHP if I remember correctly, but a minute of time invested on googl'ing the topic didn't come up with much... Perl or any other CGI would work just as well. I'm sure you can find something on google - basically you just have to pass in the user/pass combo as a header alongside the request... Not sure how you would code it, it wouldn't be using the php header function - thats for sending a header to the client, not to the server.

An easy way of doing this is using PHP and its session support (http://www.php.net/session). You can link it up with a database if you want too.

If you have any further questions don't hesitate to let me know.

Sessions would work fine too - but I think the point he's making is that it has to work for a .htaccess style authentication... which could be pulling its data from a database or a flat text file, we don't know - so we have to code to work for htaccess style.

BTW - Many coders would argue with your view on using sessions for something as simple as this... I won't carry on a traditional "burning source" flame war though :D I'm sure you've already been plauged by the arugments of both sides.

but I think the point he's making is that it has to work for a .htaccess style
Yes, you're right. My usernames and passwords are currently stored in a text file (.htpasswd). I would want the script to interact with that. Any further ideas/help?

i think if you goto a .htaccess protected area with your username and pass infront of the url it lets you in without popup, like:

http://user:pass@www.some.com/protected

So you could make a form post the variables user and pass to that url ?

Should be easy, i could write you a php form later if htaccess does allow this style of url to be used which i think it does.

Ehh... Simple answer :D..


<?
if (isset($_POST['done']))
{
$url = "std64.com/secure";
$site = "http://".$_POST['user'].":".$_POST['pass']."@".$url;
header("Location: $site");
}

?>
<html>
<form action="<?=$PHP_SELF?>" method="POST">
User <input type="text" name="user"><br>
Pass <input type="password" name="pass"><br>
<input type="submit" name="done">
</form>
</html>



Or.... If you don't support PHP here's a javascript version



<html>
<script>
function Login(form) {
var username = form.username.value;
var password = form.password.value;
var server = form.server.value;
if (username && password && server) {
var htsite = "http://" + username + ":" + password + "@" + server;
window.location = htsite;
}

else {
alert("Please enter your username and password.");
}
}
</script>

<form>
User <input type="text" name="user"><br>
Pass <input type="password" name="pass"><br>
<input type="submit" name="done" onClick="Login(this.form)">
</form>


You can drop a six-pack off in the lounge for me :D (Killian's preffered :cool: )

Thanks to both of you for your help. The PHP solution looks the better one (like I said originally I don't like the javascript solution due to people possibly disabling it).

The only problem with the PHP solution is that it carries the username and password in the URL. This means people will be able to view passwords over people's shoulders or even go to their history and gain unauthorized access.

Is there a PHP way of passing the username and password without them showing in the URL?

Your 6-pack is here and waiting - you just need to complete the new challenge :D

J.


--
PS. Remember not to drink too much beer! :puke:

maybe _GET would work instead of _POST, this hides whats passed, but i dont know if htaccess will work with GET.

The problem doesn't lie in the method of the form action it lies in the header statement

The form data isn't passed through the URL but, when header is called you are redirected to the URL of user:pass@site.com...

There really is no way around it (that I know of).

(UH-Matt)-- The form already passes information in the POST method.

Julie writes a good article on the exact opposite, but maybe this will help you out somehow. Its PHP.

http://hotwired.lycos.com/webmonkey/00/05/index2a.html?tw=programming

From the PHP manual, similar - still exact opposite:

http://php.ca/manual/en/features.http-auth.php


I'm not sure if what you want is technically possible. What you need to have is the CLIENT sending in the username and password headers to the server. This is how httpauth works.

The client sends in the headers with the username and password combo when it receives a header 401 authentication required. (Depending on the browser, it will give you three tries...)

So - technically - its not really feasible. However, you could write a PHP script that authenticates BASED on your existing htaccess file, and just use the crypt function to encrypt the plaintext password then compare to the already encrypted one in the htaccess file (use the first two chars as the salt assuming md5.)

HTH.

However, you could write a PHP script that authenticates BASED on your existing htaccess file, and just use the crypt function to encrypt the plaintext password then compare to the already encrypted one in the htaccess file (use the first two chars as the salt assuming md5.)

Yes, this sounds like the kind of thing I need. Has someone already made this? If not then I'm happy to donate some beer money (via paypal) if someone can write this script for me.

Let me know either way.

Thanks for all your help :cartman: (its cold here!)