Welcome to WebmasterWorld Guest from 22.214.171.124
I want to create a custom login page for a site protected with .htaccess and .htpasswd.
Recently I saw PHP coding or a tutorial somewhere that would perform this, but lost the link.
Yesterday I received an email advertising this capability and pointing to a site which indicates it can be done, despite what all the search responses say.
Since I want to distribute this function with a script I am preparing to release, I don't want to even take a look at how that set of scripts work.
Anyone know of any tutorials that will help a beginner recreate that ability?
Many thanks in advance.
[edited by: jdMorgan at 4:03 am (utc) on Jan. 17, 2008]
[edit reason] No URLs, please. [/edit]
This is just the very basic of this, if you read the provided links, you will certainly find your way through.
So what you are missing is that http authentication is a two way process, first the user agent requests a resource (it does not know yet that it is protected or not), and if that's password protected one, the http server (or your script) responds with an 'authorization needed' response. From this on, the user agent should send the request(s) with the proper authentication included, and the server is expected to send a 'authorization needed' response each time the authentication failed.
However, I do understand that http authentication (Apache Basic Authentication) is a two way process ... What I want to do is intercept the 401 Authentication Required header that is sent to the client and present an HTML (or PHP) page with a more attractive login screen, and prevent the browser from presenting the authentication form (the grey screen).
From that point I think the PHP script can handle the login information with PHP_AUTH_USER and PHP_AUTH_PWD as I currently do.
I have 'googled' all of the search terms I can think of and have yet to find a solution ... But, I know that it can be done as I have recently received an email advert for such a system (see my original, edited, post).
My suspicion is that the developer of that commercial product is using a two part processes ... possibly intercepting the header in the authentication request and sending a replacement, using a redirect with "if then" qualifiers in the htaccess, or something that disrupts the process and presents a PHP page with editable HTML. I am not skilled enough to know and for technical reasons, do not feel I should look at what they developed.
Hope you will consider the challenge further.
What you can do is to get rid of the htaccess way of protecting the files, make your own user database, add a RewriteRule which rewrites all the requests to your authentication script, so whatever is requested from your website, it will pass by the mentioned script, then you can handle the authentication yourself (with custom html forms). You will only need a very common php login script, which asks for a user name, checks the database, and if it was successful, sends back the requested file to the browser (and maintains the login state with cookies, instead of the http authentication fields, which always sends the username and password with each request).