alexander.elg...@t-systems.com wrote:
a...@ice-sa.com wrote:
alexander.elg...@t-systems.com wrote:
Hello,
I am looking for a way to retrieve the AUTH password, without using mod_rewrite
...
I'd be interested in how you would do it, using mod_rewrite.
For my personal education..
mod_rewrite is really powerful, you are able to pass any header information to
any output.
I just tried the following rule, it just appends the header to the GET Request.
RewriteEngine On
RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
Or pass it to ENV:
RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
In PHP you just need a single line to decode it:
var_dump(base64_decode(str_replace('Basic ', '',
$_REQUEST['HTTP_Authorization'])));
var_dump(base64_decode(str_replace('Basic ', '',
$_SERVER['HTTP_Authorization'])));
And please do not talk about security, it is just base64, if there is no SSL,
anyone in the middle is able to read the password.
I gather that this is a very indirect response to my question : you are talking about HTTP
Basic Authentication. And without SSL, so this is a very insecure environment (but we did
not know that before).
In that case - one among many possibilities, which is why I was asking - indeed the
password is "encrypted" (so to speak) and sent over the network as part of the HTTP
"Authorization" header.
And I gather - which you also did not say - that this is a cgi-bin script, not a mod_perl
module. So indeed it has a cgi-bin "environment" available to it.
(This is a mod_perl support list, so it is kind of expected that people come here to ask
mod_perl-specific questions, unless they say otherwise).
So now, about your initial question, does your webserver include mod_perl, and is your
perl cgi-bin script running under mod_perl ?
I am asking because you did not say, and because the response to your question is
different, depending on your environment.
Basically :
- if you are not running under mod_perl, as a simple cgi-bin perl script, then you will
also need mod_rewrite, and code similar to what you show above for PHP.
- if you are running under mod_perl, then your script would have access to some deeper
things within Apache httpd, and you could do this without mod_rewrite.
And there is a side question too, just by curiosity : if this is such an insecure
environment, why do you bother encrypting the response (using the user's password which
everyone can get at anyway) ?
And if this is running under SSL, then also why bother encrypting the response ?
