First things first, ANYTHING you do without https:// (SSL) is insecure. Anything you do with SSL is "more secure", not "secure".
Which answers 90% or your questions. If you are "stuck" with the username:password@ in the URL, my guess is you could get your current URL, use parse_url to check if it has the uname and pass bits in it, and if so, rebuild the URL without them, and redirect... it could be quite messy, and I haven't thought it through tho!! BUT, my real advice is to choose EITHER http authentication (let them login via the usual pop-up), OR choose PHP based authentication with sessions. It's REALLY easy to write a script which can protect certain files from non-logged in members with PHP. Justin French on 18/02/03 10:22 PM, Shams ([EMAIL PROTECTED]) wrote: > Hi, > > I have a PHP login scripts that takes the "username" and "password" and > stores it in a session. > > Once verified as a valid user against a mySQL database, the user is > redirected to a members area ( "/secure_area" ), using: > > http://username:[EMAIL PROTECTED]/secure_area/ > > This is so that .htaccess (which is in "/secure_area" won't pop up its own > "login/password" box). > > However, i am having a couple of problems, > > first, once the user is redirected to the /secure_area folder, EVERY link on > that page (and onwards) is prefixed with > http://username:[EMAIL PROTECTED]...... for everyone to see !!! and > thus the password has been exposed. > How can I stop it displaying the username and password ? > > And also, is this a secure way of logging in? > > (it is the only way I can figure out how to do it, so that PHP logs u in and > passes username and password to .htaccess quietly). > > Many Thanks for any help! > > Shams > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php