http access control - setting username and password

stoffer

I'm using a bscw-server which relies on basic http authentification for managing files and other stuff for some users. The users have allready logged in to an intranet and shouldn't be prompted for username and password again. Is there anyway to send these informations to the server?

I can get the information by sending af simple http request including the basic authorization for one page at the time but the server (or something) doesn't remember the http state and therefore further browsing within the servers pages gives a login prompt-box.

Any suggestions?

-stoffer

sneakyimp

I'm not sure what you mean by 'bscw-server' but it sounds to me like you have folks logging on to an intranet somehow. this would mean that the intranet server somehow recognizes and retains the identity of the user (probably through a session variable or some sort of internal IP address checking mechanism). How is the login accomplished? are you talking about some kind of windows-level login or are you talking about a webserver on your intranet where the login is through HTML or ASP or PHP? You are going to have to somehow retrieve the user's identity from this server or from the windows network and get it into your HTML and/or PHP code.

if you're talking about an operating system level login (like a windows network client login or some such thing) then I don't think you can do this with javascript or HTML (because it would be a security violation to retrieve such sensitive information from a user's machine). i think you're going to need perhaps an applet or activex control or something? you need something that can do a system call to retrieve your identity and login.

if the local login is accomplished through a webserver, then the webserver can probably be helpful...user login info is probably retained either in a cookie or in a session variable somewhere. if so, you are going to need to find out where it is stored so you can pass it along to the external server.

At some point, you are going to try and make the transition from the intranet to the external server and when you do so, the HTTP request you send is going to have to send their login and password (or your server won't be particularly safe).

you are probably going to have to provide more information.

stoffer

The "bscw-server" is an external server which acts like a content management system for sharing files and folders via the web. It uses simple basic http authentification.

It is correct that users first login to the intranet. This starts a PHP session. The users username and password for the "bscw-server" can be found via the PHP-session. That is, the "bscw-server" is not opend from the start of login.

It is possible to send a http requst include a base64 encoded authorization an retrieve a web-page from the bscw-server. But when trying to browse further from there the users is prompted for username and password. This is not a nice solution.

I think the problem is, that the PHP code which sends the http request is based on the server, and therefore when the user tries to open a link from the retrieved web-page the "bscw-server" can't recognize the users browser as the one initiation the authorization and therefore prompts for username and password via the http 401 response. Could this be the case? Any know solutions?

sneakyimp

so you have an intranet server running PHP login and also a BSCW server running a PHP login. The two appear to have entirely distinct PHP applications that do not share a password.

If this is the case, you need to modify whatever link it is that refers you from intranet to BSCW so that it logs the user in to the BSCW machine. You may also need to modify the login procedure on the BSCW machine as well. this might be done by changing the link to BSCW on your intranet so that it's not just a simple <A> link but rather an HTML FORM that POSTS the user login and password to the BSCW machine. You may need to modify the BSCW machine and add a page that receives this POSTed information, logs the user in, and redirects them to the appropriate page.

another possibility is that your intranet machine could temporarily store a cookie with the login information and your BSCW machine could be modified to read the cookie on arrival (although this may not be allowed because the domains are distinct).

without knowing more, i cannot give more detailed directions. nor can i tell if there is another way. sine the two machines are distinct, they cannot simply share SESSION information as far as i know. it must be explicitly sent somehow. i'm pretty sure you're going to have to at least get access to the BSCW source code...and you'll most likely have to make some changes...but maybe not.

hope this helps.