Results 1 to 6 of 6

Hybrid View

  1. #1
    Join Date
    Nov 2004
    Location
    FL
    Posts
    126

    Post and basic authentication

    Maybe I'm just blind today, but I've searched around and wasn't able to find the information.


    I'm trying to find out if it would be possible to make a form that posts the login info for a directory that requires basic authentication so that you don't get prompted for the login details when it redirects you to the directory.

    I hope that makes sense, I can try to clarify the question if it doesn't haha.

  2. #2
    Join Date
    Jan 2007
    Posts
    31
    Are you trying to get a form to authorize a directory that is protected through .htaccess ? As far as I know this isn't possible because it would be insecure.
    Host In Us Web Hosting Services |www.hostinus.com
    Premium Enterprise Shared Web Hosting
    Less than 80 Customers per server!

    Try us out! We want to earn your business

  3. #3
    Join Date
    Aug 2001
    Posts
    5,597
    You cant do this with a post as basic authenication is done via http headers to which you do not have direct access. So basically you would always need the browser to prompt the user.

    The only solution would be to embed the user login into the URL
    Code:
    http://user:password@hostname/directory
    but certain browsers (IE7 to my knowledge) do not support this anymore due to security reasons.

  4. #4
    Join Date
    Nov 2004
    Location
    FL
    Posts
    126
    I'm aware of the insecurity, I was just wondering if it was even possible. thanks for the info though.

  5. #5
    Could you create a script that uses the login information and displays the directory bypassing Basic Auth?

    I vaguely recall seeing a PHP script which does this on some script directory.

  6. #6
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    To use basic authentication without entering username and password into the browser prompt you'd need to fool the browser into supplying the Authorization header. That's always going to be browser-dependent and as zoid said, the user:password@host syntax no longer works for IE. (I think it was disabled by a security update to IE6 a couple of years ago).

    What you could do is use form / session based authentication and then simulate basic authentication if the user goes to the protected directory directly, ie. your script would send a 401 with "WWW-Authenticate" header then read the "Authorization" header from the browser.

    To the user that would appear identical to the system you describe but of course would be fairly complicated to achieve.

    HTH
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •