htaccess and user/password dialog box

searain

If a folder is under .htaccess/.htpasswd protection, it will pop up a dialog box to ask the user id and password.

Can I change the dialog box to a regular html form page? If I can, how?

Thanks!

drew010

no there isnt a way to do that but if you want to make people enter the username and password thru a form you can make it appear to work the way you want by doing this:

<?php

if (!isset($_POST['username'])) {
?>
<form method="POST">
<input type="text" name="username" value="username"><br />
<input type="text" name="password" value="password"><br />
<input type="submit">
<?php
} else {
  header("Location: http://" . $_POST['username'] . ":" . $_POST['password'] . "@yoursite.com/protected/index.html");
}

?>

searain

Thanks!

But how about security?

Will this be passed in plaintext?
Will this address stays in the brower's history?
And I tested it, it is not working in the Internet Explorer but it is working in Netscape and Firefox. I thought it was working in Internet Explorer before (I might be wrong here). Any history lessons here?

drew010

passwords sent via http authentication scheme are always sent over the network plaintext so there is no lost security in this method.
but now that you mention it doesnt work in internet explorer that reminded me about a security flaw ms had with internet explorer where you could put a null string in your links and change what appears in the address bar, so they disabled the abililty to pass the username and password in the url like that, so because ms cant release bug free products, instead of fixing it, they just ruin stuff for everyone so that method i gave wont work.

searain

so, this is the industry standard. and hundreds of thousands sites might already wrote their codes this way. now because the flaw ms cannot fix in their own products, so hundreds of thousands sites all over the world written in this way are not going to work (unless they are lucky they can find help in house or outsource cost effectively).

go figure.

how about the browser history issue, will it (user/password) stay in the browser (some browsers some version?) history, another security concern? just for the fun of the knowledge, if ie not support it, i cannot use this method anyway.

thanks!

drew010

as far as i know, when that method did work, the browsers would just read that info from the url, pass it along in the http headers, but not store it in history. i think as soon as it reads that url, from that point on the browser doesnt even show the username and password in the url bar. but if i remember correctly, if you typed it into ie that way, it would keep it in the location bar recent urls.