Results 1 to 6 of 6
Thread: Post and basic authentication
Hybrid View
-
01-15-2007, 03:10 PM #1WHT Addict
- Join Date
- Nov 2004
- Location
- FL
- Posts
- 126
Post and basic authentication
Maybe I'm just blind today, but I've searched around and wasn't able to find the information.
I'm trying to find out if it would be possible to make a form that posts the login info for a directory that requires basic authentication so that you don't get prompted for the login details when it redirects you to the directory.
I hope that makes sense, I can try to clarify the question if it doesn't haha.
-
01-15-2007, 03:22 PM #2Junior Guru Wannabe
- Join Date
- Jan 2007
- Posts
- 31
Are you trying to get a form to authorize a directory that is protected through .htaccess ? As far as I know this isn't possible because it would be insecure.
Host In Us Web Hosting Services |www.hostinus.com
Premium Enterprise Shared Web Hosting
Less than 80 Customers per server!
Try us out! We want to earn your business
-
01-15-2007, 03:25 PM #3Web Hosting Master
- Join Date
- Aug 2001
- Posts
- 5,597
You cant do this with a post as basic authenication is done via http headers to which you do not have direct access. So basically you would always need the browser to prompt the user.
The only solution would be to embed the user login into the URL
Code:http://user:password@hostname/directory
-
01-15-2007, 03:31 PM #4WHT Addict
- Join Date
- Nov 2004
- Location
- FL
- Posts
- 126
I'm aware of the insecurity, I was just wondering if it was even possible. thanks for the info though.
-
01-15-2007, 03:29 PM #5Newbie
- Join Date
- Jan 2007
- Posts
- 10
Could you create a script that uses the login information and displays the directory bypassing Basic Auth?
I vaguely recall seeing a PHP script which does this on some script directory.
-
01-15-2007, 07:53 PM #6Retired Moderator
- Join Date
- Feb 2005
- Location
- Australia
- Posts
- 5,849
To use basic authentication without entering username and password into the browser prompt you'd need to fool the browser into supplying the Authorization header. That's always going to be browser-dependent and as zoid said, the user:password@host syntax no longer works for IE. (I think it was disabled by a security update to IE6 a couple of years ago).
What you could do is use form / session based authentication and then simulate basic authentication if the user goes to the protected directory directly, ie. your script would send a 401 with "WWW-Authenticate" header then read the "Authorization" header from the browser.
To the user that would appear identical to the system you describe but of course would be fairly complicated to achieve.
HTHChris
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter