[TriLUG] htaccess

Thu Mar 24 18:48:28 EST 2005

Steve Hoffman wrote:

>Looking for a php pro out there...I basically am trying to mimic
>htaccess authentication on our server, but I want to use a custom
>login page...not the popup window.  I can do the whole process myself,
>take a username/password pair, encrypt the password and compare it to
>the encrypted password in .htpasswd, but the problem is, the program
>I'm trying to access, doesn't recognize this as valid authentication.
>
>It's actually awstats...that I only want authenticated access
>(yeah...we got hacked, upgrade if you haven't!!!!) but I have many
>(~300) users from different domains that need to auth.  The problem is
>I don't know what flag to set saying that they have passed or if I can
>even do that.
>
>I don't mind redoing the method, but the requirement is that the login
>page needs to be customized to each customers website so that's why
>the popup won't work.
>
>Thanks as always!
>Steve
>  
>
I might suggest that a close look at how 403 access denied pages work 
may shed some light on your problems.  Essentially, when you attempt to 
request a page protected by .htaccess and Apache's Basic authentication, 
the server returns a 403 result and includes a few pertinent things.  
Specifically, it returns the "Realm" which you are not authorized to 
access, and it includes a page to display.  Your browser will prompt you 
for a username and a password, and you provide the appropriate 
credentials.  The browser then re-requests the page, supplying your 
credentials to the server in the new request.

If those credentials do *not* match, the server will return another 403 
page.  Then the browser will prompt you again, up to a 
browser-configurable number of times (usually 3), before it gives up and 
displays what ever page was returned along with the 403 error.

If those credentials *do* match, then the browser caches them for a 
limited time - usually only the current browser session.  In other 
words, closing all associated windows and reopening the browser will 
clear the cache.  Any time *before* that cache is cleared, if you 
request a page that returns a 403 with the same "Realm" from above(1), 
the browser will attempt to supply the credentials it has cached for 
that realm.  You can use this fact to pre-cache the authentication 
credentials from the user, at a central page, but only by having the 
browser throw up a "pop up" window prompting the user to enter the 
appropriate information.  Because of the nature of the way basic 
authentication works, you can't "pass" those credentials to Apache, as 
Apache doesn't even store them from request to request, the browser does.

Now having said all that, you can get similar functionality with out 
using Basic authentication, but you have to go away from Apache's Basic 
authentication all together.  You'll then need to wrap up each of your 
scripts to look at some cookie, or session variable, or any of the other 
traditional ways of passing around "this user is already authenticated" 
information in PHP.  Perhaps some one can step in and explain a way to 
extend the security checking of Apache to protect a directory with an 
external script ... something in my gut tells me that's probably 
possible ... but I'm not the guy who can explain how to do it.  :)

1) This usually also has some other restrictions, i.e. the same server 
is requesting the page, etc., to prevent other pages from "extracting" 
the credentials the browser might have by guessing at realms or using 
"known important" realm names to see what the browser returns.

Hope this helps!
Aaron S. Joyner