Jump to content
xisto Community
moldboy

Http Authentication Without Using The Popup

Recommended Posts

As it is mentioned earlier on in this form I am trying to use HTTP authentication to add simple users control to my site, one thing I like about it is that the username and password are stored throught the entire session that way I don't have to enter into the realm of cookeis and session id's. So now I was wondering, a) can I use a standard html forum and place the password and username values into $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] so that they will be reembered throuout the session, and :blink: is this secure if it would work?

Share this post


Link to post
Share on other sites

If you are trying to use this in your Xisto account, most probably you are out of luck. Most of the times, the webserver will be configured to run php in cgi mode. This is less problematic and has fewer security issues than the apache module version.But http authentication is available in php only when it is used in the apache module mode and cgi mode does not support this.

Share this post


Link to post
Share on other sites

... Most of the times, the webserver will be configured to run php in cgi mode. This is less problematic and has fewer security issues than the apache module version. ...

Uh, not quite. Running PHP as a CGI is far more problematic than the module version, and opens up a whole new level of security issues. I haven't viewed it for quite a while, but I seem to remember the official PHP installation guide recommending you install PHP as an Apache module if possible for these exact reasons.

 

Anyway...

 

moldboy, although not conventional and very inpractical, it's possible to authenticate users with Basic HTTP Authentication via PHP. I would recommend you write your own simple login system, but as you said you would rather not, the easiest way I can think of 'bypassing' the popup is by redirecting the user to the equivalent of http://www1.domain.com/directory/ if that makes sense. This particular authentication method (along with some others) allows for the username and password to be passed along via the URI, so assuming the username and password were correct, their browser would not display a popup.

 

Basic HTTP Authentication uses session information to 'remember' authenticated users, so it's not really possible to have your script set up authentication and then pass credentials to the user. You could, however, have the script verify the login information prior to redirecting the user, to make sure they will not encounter a popup (which their browser will display if the login information is incorrect).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.