Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Custom Login with .htaccess

I want to create a custom login form or page for 401 Authentication



3:30 am on Jan 17, 2008 (gmt 0)

10+ Year Member


I want to create a custom login page for a site protected with .htaccess and .htpasswd.

Recently I saw PHP coding or a tutorial somewhere that would perform this, but lost the link.

Yesterday I received an email advertising this capability and pointing to a site which indicates it can be done, despite what all the search responses say.

Since I want to distribute this function with a script I am preparing to release, I don't want to even take a look at how that set of scripts work.

Anyone know of any tutorials that will help a beginner recreate that ability?

Many thanks in advance.


[edited by: jdMorgan at 4:03 am (utc) on Jan. 17, 2008]
[edit reason] No URLs, please. [/edit]


4:34 am on Jan 17, 2008 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

This may help?

(archive provided for link longevity)
the active page displays much better

As may this:
(no archive link available; sorry Jim)


5:14 am on Jan 17, 2008 (gmt 0)

10+ Year Member

Thanks Wilderness,

But if I understand what I read in the archive, they are describing a PHP script only. It seems to me that the PHP will not run until after the user responds to the 401 Authentication Header request.

What did I miss?


PS - Sorry about the URL Jim. Didn't stop to think.


3:27 pm on Jan 17, 2008 (gmt 0)

10+ Year Member

That a resource is password protected or not is depending on the response the http server sends back. If you make a php script like this: <?php echo 'hello'?>, then all goes as normal. But of your script looks like this: <?php header('HTTP/1.0 401 Authorize yourself'); echo 'hello';?>, then the user agent (browser), should ask credentials from the user. Please note that the 'hello' would be still sent to the browser, it is the script's responsibility to handle requests without proper authentication.

This is just the very basic of this, if you read the provided links, you will certainly find your way through.

So what you are missing is that http authentication is a two way process, first the user agent requests a resource (it does not know yet that it is protected or not), and if that's password protected one, the http server (or your script) responds with an 'authorization needed' response. From this on, the user agent should send the request(s) with the proper authentication included, and the server is expected to send a 'authorization needed' response each time the authentication failed.


4:01 pm on Jan 17, 2008 (gmt 0)

10+ Year Member

Thanks gergow,

However, I do understand that http authentication (Apache Basic Authentication) is a two way process ... What I want to do is intercept the 401 Authentication Required header that is sent to the client and present an HTML (or PHP) page with a more attractive login screen, and prevent the browser from presenting the authentication form (the grey screen).

From that point I think the PHP script can handle the login information with PHP_AUTH_USER and PHP_AUTH_PWD as I currently do.

I have 'googled' all of the search terms I can think of and have yet to find a solution ... But, I know that it can be done as I have recently received an email advert for such a system (see my original, edited, post).

My suspicion is that the developer of that commercial product is using a two part processes ... possibly intercepting the header in the authentication request and sending a replacement, using a redirect with "if then" qualifiers in the htaccess, or something that disrupts the process and presents a PHP page with editable HTML. I am not skilled enough to know and for technical reasons, do not feel I should look at what they developed.

Hope you will consider the challenge further.



5:33 pm on Jan 17, 2008 (gmt 0)

10+ Year Member

There's no way (i know of), which makes possible to tell the browser to which username and password to use - because that's you are after it seems. If you want to present a html login screen, then it means that your script will receive the username and the password, so you have to do something with it.

What you can do is to get rid of the htaccess way of protecting the files, make your own user database, add a RewriteRule which rewrites all the requests to your authentication script, so whatever is requested from your website, it will pass by the mentioned script, then you can handle the authentication yourself (with custom html forms). You will only need a very common php login script, which asks for a user name, checks the database, and if it was successful, sends back the requested file to the browser (and maintains the login state with cookies, instead of the http authentication fields, which always sends the username and password with each request).


Featured Threads

Hot Threads This Week

Hot Threads This Month