Hi all,
I have the following script that (in theory) would work:
<?
function authenticate() {
header("WWW-Authenticate: Basic realm=\"Member Area\"");
header("HTTP/1.0 401 Unauthorized");
print("You must enter a valid login username and password to access this resource.\n");
exit;
}
if (!isset($PHP_AUTH_USER)) {
authenticate();
} else {
$c = mysql_pconnect("localhost","XXXXX","XXXXX");
mysql_select_db("httpauth",$c);
$q=sprintf("SELECT username, password FROM login_table
WHERE username='%s' AND password='%s'",
$PHP_AUTH_USER,$PHP_AUTH_PW);
$q=mysql_query($q);
if (mysql_num_rows($q) == 0 ) {
authenticate();
}
// Open or create the .htpasswd file - store the username and a fake password
$handle = fopen ("/path/to/file/.htpasswd", "a+");
// .htpasswd format is: USERNAME😛ASSWORD
$clean = rand(0,9999999999);
$fake_password = crypt($clean,substr($clean,0,2));
$string = "$PHP_AUTH_USER:$fake_password\n";
fwrite($handle, $string);
fclose($handle);
// print "You are logged in as: $PHP_AUTH_USER with password $PHP_AUTH_PW - FAKE IS: $fake_password";
$url = "http://$PHP_AUTH_USER:$clean@server/member/index.php";
header ("Content-Location: $url");
}
?>
So here is the basics: The user authenticates using http auth against a MySQL database - if the username and password is corrent then a NEW entry is created in a .htpasswd file - this file contains the username along with an unknown password. Why? To prevent people from posting passwords... (we can monitor the number of logins from the PHP script).
If I make a Location: username:password@server/ then it simply fails 🙁 However if I make a metatag with a refresh (GET) to the same url then it works just fine.
Am I missing something? Or?
Your input and help is appreciated 🙂
Thanks in advance
Regards
Lasse Laursen
