homepage Welcome to WebmasterWorld Guest from 54.197.171.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Custom Login with .htaccess
I want to create a custom login form or page for 401 Authentication
calvinmicklefinger




msg:3550255
 3:30 am on Jan 17, 2008 (gmt 0)

Hello,

I want to create a custom login page for a site protected with .htaccess and .htpasswd.

Recently I saw PHP coding or a tutorial somewhere that would perform this, but lost the link.

Yesterday I received an email advertising this capability and pointing to a site which indicates it can be done, despite what all the search responses say.

Since I want to distribute this function with a script I am preparing to release, I don't want to even take a look at how that set of scripts work.

Anyone know of any tutorials that will help a beginner recreate that ability?

Many thanks in advance.

Kirk

[edited by: jdMorgan at 4:03 am (utc) on Jan. 17, 2008]
[edit reason] No URLs, please. [/edit]

 

wilderness




msg:3550287
 4:34 am on Jan 17, 2008 (gmt 0)

This may help?

(archive provided for link longevity)
the active page displays much better
[web.archive.org...]

As may this:
(no archive link available; sorry Jim)
[apache-server.com...]

calvinmicklefinger




msg:3550297
 5:14 am on Jan 17, 2008 (gmt 0)

Thanks Wilderness,

But if I understand what I read in the archive, they are describing a PHP script only. It seems to me that the PHP will not run until after the user responds to the 401 Authentication Header request.

What did I miss?

Kirk

PS - Sorry about the URL Jim. Didn't stop to think.

gergoe




msg:3550694
 3:27 pm on Jan 17, 2008 (gmt 0)

That a resource is password protected or not is depending on the response the http server sends back. If you make a php script like this: <?php echo 'hello'?>, then all goes as normal. But of your script looks like this: <?php header('HTTP/1.0 401 Authorize yourself'); echo 'hello';?>, then the user agent (browser), should ask credentials from the user. Please note that the 'hello' would be still sent to the browser, it is the script's responsibility to handle requests without proper authentication.

This is just the very basic of this, if you read the provided links, you will certainly find your way through.

So what you are missing is that http authentication is a two way process, first the user agent requests a resource (it does not know yet that it is protected or not), and if that's password protected one, the http server (or your script) responds with an 'authorization needed' response. From this on, the user agent should send the request(s) with the proper authentication included, and the server is expected to send a 'authorization needed' response each time the authentication failed.

calvinmicklefinger




msg:3550755
 4:01 pm on Jan 17, 2008 (gmt 0)

Thanks gergow,

However, I do understand that http authentication (Apache Basic Authentication) is a two way process ... What I want to do is intercept the 401 Authentication Required header that is sent to the client and present an HTML (or PHP) page with a more attractive login screen, and prevent the browser from presenting the authentication form (the grey screen).

From that point I think the PHP script can handle the login information with PHP_AUTH_USER and PHP_AUTH_PWD as I currently do.

I have 'googled' all of the search terms I can think of and have yet to find a solution ... But, I know that it can be done as I have recently received an email advert for such a system (see my original, edited, post).

My suspicion is that the developer of that commercial product is using a two part processes ... possibly intercepting the header in the authentication request and sending a replacement, using a redirect with "if then" qualifiers in the htaccess, or something that disrupts the process and presents a PHP page with editable HTML. I am not skilled enough to know and for technical reasons, do not feel I should look at what they developed.

Hope you will consider the challenge further.

Thanks,
Kirk

gergoe




msg:3550855
 5:33 pm on Jan 17, 2008 (gmt 0)

There's no way (i know of), which makes possible to tell the browser to which username and password to use - because that's you are after it seems. If you want to present a html login screen, then it means that your script will receive the username and the password, so you have to do something with it.

What you can do is to get rid of the htaccess way of protecting the files, make your own user database, add a RewriteRule which rewrites all the requests to your authentication script, so whatever is requested from your website, it will pass by the mentioned script, then you can handle the authentication yourself (with custom html forms). You will only need a very common php login script, which asks for a user name, checks the database, and if it was successful, sends back the requested file to the browser (and maintains the login state with cookies, instead of the http authentication fields, which always sends the username and password with each request).

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved