using a web form to login w/ Basic authentication

mapexdrum

I was wondering how you could POST login data that has been taken by either a login form or the login box that pops up when you try to pull up a directory that requires authentication.

I currently have a script set up to do HTTP authentication via PHP and then take the PHP_AUTH_USER and PHP_AUTH_PW authenticate them via MySQL DB.

The problem I face is being able to take a different login that is embedded in the script (re-evaluates $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] and then pass the new data to a different folder.

Essentially, pull up the login.php page...enter your username and password and then that script should check it, and if it's valid reset the auth vars and pass them to a different folder.

The different folder has been setup via Mac OS X Server as a realm. We did it this way because we didn't see any need to make a page displaying all of the pages...just give a directory listing.

If any of what you read makes sense and you have some thoughts please let me know.

Also, I can get it to send the data like this: http://USERNAME😛ASSWORD@hostname.com/folder1/ except that reveals the embedded username and password combination. That method is also depreciated in IE 6.

Thanks,
Aaron

dalecosp

I think I'm hearing you. You can stick variables in $_SESSION and carry 'em around wherever you want to. You can create another form, set HIDDEN input fields, and the info will be POSTed to a handling script when the form is submitted.

However, I'm not familiar enough with Apache Basic Auth to know how you're going to carry that across Auth realms.

Does the Mac server have PHP also? Couldn't you just (beware, I'm known for awful kludges) do something like:

//index.php

session_start();

if (!$_SESSION['authorized']) {
// auth stuff
} else {
  "include 'index.html';
}

Of course, I guess that would defeat the AutoIndex page....

I assume you've tried using the same UN/PW combination across the realm, and it fails?

Sorry I'm not much help today...

mhalloran

You should use post variables for sending the username and password fields to the login check page.

The page that checks the login info should, if valid, store the user id as a session variable. Once this session is variable is stored, you can query the database on any page at any time to get the user's first and last name. You can also store the users first and last name as a session variables but I think that's a bit sloppy.

To use sessions, begin each script that will use them with:
session_start();

As long as the session is started, you can store a variable with:
$_SESSION["variable_name"] = "hello there";

and retrieve it with:
echo $_SESSION["variable_name"];

Look up sessions in the manual, they will be your best friend.

mapexdrum

Yeah, our OS X servers are running PHP 4.3 (if I recall).

I can't pass the data through a session as the HTTP Basic auth won't take that data (that I know of).

I have a username in a cookie that's checked first w/ the login page to see if they have logged in before.

I saw something similiar to my problem on experts-exchange...except they charge and I only need one answer.

So...if any of this helps, great; if not, thanks for trying anyway.

Aaron

mapexdrum

Sessions are great, but not what I need. I have a username stored in a cookie, which is validated each time the login page is called up.

I need to be able to send the data to the second login without the user ever knowing that the second transaction ever took place (if possible).

I've tried resetting the value of variables, I've tried using headers and I just don't know.

dalecosp

That's basically what I'm saying. I don't think it's possible, but I'm in the dark as much as you. You've googled? You've checked the Apache documentation?

My <<workable>> suggestions mostly dealt with getting rid of Apache auth and rolling your own.

Sorry, I haven't much more brainpower to send this way today.

mapexdrum

Yes, I've Googled and I've been all through the Apache documentation.

I'm....frustrated.

I guess I could leave it at that.

Any other suggestions, anyone?

mapexdrum

Anyone have any ideas?