Home > Archive > PERL CGI Beginners > August 2005 > htaccess question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Bill Stephenson 2005-08-11, 9:59 pm |
| If a directory is password protected with .htaccess can you access it
directly with a web browser by passing the user name and password in
the url string? Something like this?
http://www.mydomain.com/members/ind...password=Howard
or do you always get the popup box?
Thanks,
--
Bill Stephenson
| |
|
| --- Bill Stephenson <bills@perlhelp.com> wrote:
> If a directory is password protected with .htaccess can you access it
> directly with a web browser by passing the user name and password in
> the url string? Something like this?
>
> http://www.mydomain.com/members/ind...password=Howard
>
> or do you always get the popup box?
You can usually bypass the popup with this:
http://user:pass@www.mydomain/members/
However, I've that spoofing attacks have caused some user agents to not
forward the user/pass information when supplied in this format. I
don't know if that's true.
In any event, when using .htaccess, I would strongly recommend using it
over a secure connection.
Cheers,
Ovid
--
If this message is a response to a question on a mailing list, please send
follow up questions to the list.
Web Programming with Perl -- http://users.easystreet.com/ovid/cgi_course/
| |
| Chris Devers 2005-08-11, 9:59 pm |
| On Thu, 11 Aug 2005, Bill Stephenson wrote:
> If a directory is password protected with .htaccess can you access it
> directly with a web browser by passing the user name and password in
> the url string? Something like this?
>
> http://www.mydomain.com/members/ind...password=Howard
>
> or do you always get the popup box?
That won't work, because you're passing the parameters to the script,
not to the web server.
You may, however, be able to use this syntax:
http://Moe:Howard@www.mydomain.com/members/index.html
Whether this will work depends on the server configuration. If that
doesn't work, you may at least be able to send just the login name, as
http://Moe@www.mydomain.com/members/index.html
But note that embedding this in the URL is usually considered a bad
habit, unless you have no problem with this information being sent
across the internet in the clear for anyone to see.
--
Chris Devers
| |
| David Dorward 2005-08-12, 8:59 am |
| On Thu, Aug 11, 2005 at 10:30:35PM -0400, Chris Devers wrote:
....[color=darkred]
I'm guessing you are talking about Basic Authentication here. A
..htaccess file can contain pretty much any apache directive, so it
could be configured to use a Perl script for authentication (which
would be more on topic for this list).
[color=darkred]
> You may, however, be able to use this syntax:
> http://Moe:Howard@www.mydomain.com/members/index.html
> Whether this will work depends on the server configuration.
No, it depends on the browser. There is no difference between that
syntax and typing into a dialog box as far as the server is concerned,
its just different ways for the browser to gather the information from
the user.
The credentials in URL syntax hasn't got as much support as it used to
have though, it was too often used in pishing schemes.
> But note that embedding this in the URL is usually considered a bad
> habit, unless you have no problem with this information being sent
> across the internet in the clear for anyone to see.
It is only in the clear if you don't use HTTPS - and if you don't use
HTTPS then any password you send it going to be clear. The difference
here is that it is visible in the URL - and so exposed to the
look-over-the-user's-shoulder-in-the-real-world attack.
--
David Dorward http://dorward.me.uk
| |
| Bill Stephenson 2005-08-16, 5:00 pm |
| On Aug 12, 2005, at 2:06 AM, David Dorward wrote:
> ...
>
> I'm guessing you are talking about Basic Authentication here. A
> .htaccess file can contain pretty much any apache directive, so it
> could be configured to use a Perl script for authentication (which
> would be more on topic for this list).
I may have to go this route. Apparently Internet Explorer does not
submit this string in a way the server understands:
[color=darkred]
Here's what's in the .htaccess file
========================================
===
AuthUserFile /home/users/members/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
AuthName "Members"
<LIMIT GET POST>
require valid-user
</LIMIT>
========================================
===
How do I point this at a perl cgi script to process the logon?
Kindest Regards,
--
Bill Stephenson
| |
| Zentara 2005-08-17, 4:59 pm |
| On Mon, 15 Aug 2005 16:29:54 -0500, bills@perlhelp.com (Bill Stephenson)
wrote:
>On Aug 12, 2005, at 2:06 AM, David Dorward wrote:
>
[color=darkred]
>Here's what's in the .htaccess file
> ========================================
===
>AuthUserFile /home/users/members/.htpasswd
>AuthGroupFile /dev/null
>AuthType Basic
>AuthName "Members"
>
><LIMIT GET POST>
>require valid-user
></LIMIT>
> ========================================
===
>
>How do I point this at a perl cgi script to process the logon?
If I'm understanding your question correctly...........
The server is going to automatically process the login with a popup,
beyond the control of any cgi script. So you are NOT going to bypass the
server's auth mechanism, and replace it with a Perl script.
If you want to have a "secondary logon" after the server's
authentication logon has been succesfully completed........
I would think that you could just point your url to the cgi program
in the protected directory. When the server tries to descend into
the directory, you will get the authentication popup, and if successful,
you will then be allowed to connect to the cgi script.
If that dosn't work..........
You could also try to make a file called index.cgi in your password
protected directory, or if your server won't allow that, make an
index.html whose sole purpose is to redirect you to your cgi script
within that protected directory.
There may be better ways, but that is the firat thing I would try.
But then again, I may be totally misunderstanding your problem.
--
I'm not really a human, but I play one on earth.
http://zentara.net/japh.html
| |
| Bill Stephenson 2005-08-18, 3:59 am |
| On Aug 17, 2005, at 11:03 AM, zentara wrote:
> On Mon, 15 Aug 2005 16:29:54 -0500, bills@perlhelp.com (Bill
> Stephenson)
> wrote:
>
>
>
> If I'm understanding your question correctly...........
>
> The server is going to automatically process the login with a popup,
> beyond the control of any cgi script. So you are NOT going to bypass
> the
> server's auth mechanism, and replace it with a Perl script.
Ok, I thought maybe the "AuthType" might have a way to use a perl
script to process logons, but it really doesn't matter now, the client
has decided not to try and fight this issue (big sigh of relief), which
I tried to point out was actually an interface issue, and go with what
works. But if it was possible it would be interesting to play with ;)
The client wanted to use htaccess authentication to process the
user/pass from an html form. I made a script to put the user/pass in
the URL of a redirect command in the html output to the browser. This
worked great for me, I use mozilla based browsers on a mac, Internet
Explorer did not work for the client on his windows box. He finally
opted for a link to the password protected directory.
Thanks again for the help,
--
Bill Stephenson
|
|
|
|
|