>
> Thanks Sir.. But i think this would mean that it's my
> page that's causing apache authentication.. the
> situation is there's a separate page not in my control
> that is htaccess-protected. i cannot touch that page.
> what i hope to achieve is, i want to have access to
> that page without the user entering the username and
> password at the dialog box. Instead, i will supply the
> uname/pword to that page via some means
> (get/post/cookies/etc) so the box will not appear to
> ask for it anymore but instead, apache can take those
> pair i send and authenticate it right away.
>
oic. sorry for the misunderstanding. i thought you were
also in control of that page.
> is that possible?
>
well, i have not tried this out personally. but, you can
experiment my theory and share to PLUG the results of your
endeavor.
the idea: what you can do is that from the PHP page you
control modify the session variables PHP_AUTH_USER and
PHP_AUTH_PWD into the values you assigned. this will not
be see by the users. having set this, apache will not
authenticate anymore. IN THEORY.
a better idea would be control the site yourself. this method
is very messy and is prone to security loopholes.
> perhaps a corollary question to the above is: how does
> apache determine that you have been authenticated? I
> notice that once you are logged, subsequent visits to
> the page doesnt cause it to ask for pword again. How
> does it store info that you have logged successfully
> before? perhaps knowing this, i can do similarly and
> trick apache into thinking my user is already
> authenticated.
>
> any ideas?
>
>
>
>
> --- "Horatio B. Bogbindero" <[EMAIL PROTECTED]>
> wrote:
> > >
> > > I appreciate private responses to this if deemed
> > too
> > > OT for public post.
> > >
> > > i have a site controlled by php sessions that
> > requires
> > > the user to login. Once logged in, certain types
> > of
> > > users will find a link to another page that is
> > > protected by htaccess. If they click on it, apache
> > > will prompt them for a uname/password; apache
> > htaccess
> > > authentication in this case uses a password table
> > > synchronized with what my php login page uses.
> > >
> > > I find logging in twice not so neat.
> > >
> > > Is there a way I can supply the username/password
> > to
> > > that htaccess-protected page so that apache's box
> > will
> > > not appear? Like, supplying the uname/pass pair
> > via
> > > GET or POST or cookies or however? Note that the
> > php
> > > login combination is same with what apache
> > expects.
> > >
> > > I would have included that page as part of my php
> > site
> > > but i just dont have control over that page.
> > >
> > <?php
> > function authenticate() {
> > Header( "WWW-authenticate: basic realm='Test
> > Authentication System'");
> > Header( "HTTP/1.0 401 Unauthorized");
> > echo "You must enter a valid login ID and
> > password to access this resource\n";
> > exit;
> > }
> >
> > if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 &&
> > !strcmp($OldAuth,$PHP_AUTH_USER)) ) {
> > authenticate();
> > }
> > else {
> > echo "Welcome: $PHP_AUTH_USER<BR>";
> > echo "Old: $OldAuth";
> > echo "<FORM ACTION=\"$PHP_SELF\"
> > METHOD=POST>\n";
> > echo "<INPUT TYPE=HIDDEN NAME=\"SeenBefore\"
> > VALUE=\"1\">\n";
> > echo "<INPUT TYPE=HIDDEN NAME=\"OldAuth\"
> > VALUE=\"$PHP_AUTH_USER\">\n";
> > echo "<INPUT TYPE=Submit VALUE=\"Re
> > Authenticate\">\n";
> > echo "</FORM>\n"; }
> > ?>
> >
> > this will simply check if the user is already
> > authenticated. if not it
> > will force the user to authenticate.
> >
> > i hope this is what you need.
> >
> >
> > _
> > Philippine Linux Users Group. Web site and archives
> > at http://plug.linux.org.ph
> > To leave: send "unsubscribe" in the body to
> [EMAIL PROTECTED]
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of Products.
> http://shopping.yahoo.com/
>
> _
> Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
---------------------
[EMAIL PROTECTED]
Life is like a tin of sardines.
We're, all of us, looking for the key.
-- Beyond the Fringe
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
