Http Authentication Without Using The Popup

As it is mentioned earlier on in this form I am trying to use HTTP authentication to add simple users control to my site, one thing I like about it is that the username and password are stored throught the entire session that way I don't have to enter into the realm of cookeis and session id's. So now I was wondering, a) can I use a standard html forum and place the password and username values into $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] so that they will be reembered throuout the session, and is this secure if it would work?

If you are trying to use this in your Xisto account, most probably you are out of luck. Most of the times, the webserver will be configured to run php in cgi mode. This is less problematic and has fewer security issues than the apache module version.But http authentication is available in php only when it is used in the apache module mode and cgi mode does not support this.

No, I can use PHP HTTP atuhentication, I was just wondering if I could forgo the popup, and replace it with a standard login gui

... Most of the times, the webserver will be configured to run php in cgi mode. This is less problematic and has fewer security issues than the apache module version. ...

Uh, not quite. Running PHP as a CGI is far more problematic than the module version, and opens up a whole new level of security issues. I haven't viewed it for quite a while, but I seem to remember the official PHP installation guide recommending you install PHP as an Apache module if possible for these exact reasons.

 

Anyway...

 

moldboy, although not conventional and very inpractical, it's possible to authenticate users with Basic HTTP Authentication via PHP. I would recommend you write your own simple login system, but as you said you would rather not, the easiest way I can think of 'bypassing' the popup is by redirecting the user to the equivalent of http://www1.domain.com/directory/ if that makes sense. This particular authentication method (along with some others) allows for the username and password to be passed along via the URI, so assuming the username and password were correct, their browser would not display a popup.

 

Basic HTTP Authentication uses session information to 'remember' authenticated users, so it's not really possible to have your script set up authentication and then pass credentials to the user. You could, however, have the script verify the login information prior to redirecting the user, to make sure they will not encounter a popup (which their browser will display if the login information is incorrect).