Hi,

I have a folder on my server protected by Apache Basic Authentication, and a third party script in another folder that uses the same username and password for access.

I would like to be able to click on a link or button on a page in the protected folder and have the login information (from PHP_AUTH_USER and PHP_AUTH_PWD) from the protected folder passed to the login form of the third party script and submitted so the user can be automatically logged in to the thrid party script without having to complete the form or hit the submit button of the third party script.

Relevant information ...

Username from Apache protected folder = PHP_AUTH_USER
Password from Apache protected folder = PHP_AUTH_PWD

Form name on the third party script page = LoginForm
Username field name on the third party script page = login
Password field name on the third party script page = passwd

There are also two hidden fields in the form on the third party script page ...
name = cgi_ret value = /xyz
name = realm value = Joe

Does anyone have any ideas for submitting the user name and password from the Apache protection to the third party script and doing an automatic login?

Many thanks in advance for any suggestions!

Kirk

So you want to click a link in the protected area causing a form to pop up for another user on another computer prefilling and autosubmitting this data, ultimately logging that person into the protected area?

If that is what you are trying to do, it certainly can be done with some creativity. But the process of doing so would require the filling of many holes. For example:
1. How are you going to ensure that this is the correct user and that it is not someone else without some type of authentication? Without authentication, the only way I see of doing this is the first person that hits this url first gets logged in.
2. Are your passwords encrypted? Since it is the standard apache authentication, I would assume that it is the standard apache encryption as well. I have not researched it but is the encryption reverseable, allowing you to prefill the form?

I don't know if what I am saying is making sense, but there are a lot of holes and security issues with doing this, this is only a couple.

I want to click on a link/button on a page in protected folder "A" that will open a login page in folder "B", fill in the form with the login and password and submit the form so the user can access and use the script in "B." Both are on the same domain on the same server.

Does that help?

I'm certainly not saying that it can't be done securely. I'm just saying that it is going to be a long thought out process and If you want advice from a forum, I could easily see this thread going 100+ posts, minimum.

I'm certainly not saying that it can't be done securely. I'm just saying that it is going to be a long thought out process and If you want advice from a forum, I could easily see this thread going 100+ posts, minimum.

100 Posts! Wow! Oh well, I'm game.

So you want to click a link in the protected area causing a form to pop up for another user on another computer prefilling and autosubmitting this data, ultimately logging that person into the protected area?

See quick reply above.

If that is what you are trying to do, it certainly can be done with some creativity. But the process of doing so would require the filling of many holes. For example:
1. How are you going to ensure that this is the correct user and that it is not someone else without some type of authentication? Without authentication, the only way I see of doing this is the first person that hits this url first gets logged in.

The user is logged in to the first protected folder. It uses Apache Basic Authentication so I have the PHP_AUTH_USER and PHP_AUTH_PWD available. The script in folder B uses the same login information. In fact, the script in B generated the htpasswd information for A from its database. I am thinking that passing those variables is the easiest way of passing the login values.

2. Are your passwords encrypted? Since it is the standard apache authentication, I would assume that it is the standard apache encryption as well. I have not researched it but is the encryption reverseable, allowing you to prefill the form?

Ah, I had not thunk of that. That may be why my current method is causing an error.

Here is what I am doing now ...

<form name="JVM2loginForm" action="http://MyDomain.com/jvm/auth/login.html?cgi_ret=%2Fjvm&realm=Jin$do_login=submit&login=<? $_SERVER['PHP_AUTH_USER'] ?>&passwd=<? $_SERVER['PHP_AUTH_PWD'] ?>&cgi_ret=/jvm&realm=Jin" method="post">
<p><input type="submit" name="Submit" value="Execute" /></p>
</form>
<script type="text/javascript" language="JavaScript"><!-- window.onload=function( )
{
    document.JVM2loginForm.submit();
}
//--></script>

I don't know if what I am saying is making sense, but there are a lot of holes and security issues with doing this.

Here is more on the scenario ...

I have a third party script that I use to sell memberships to a protected folder. The script then generates the htpasswd file that restricts access to the members. The script also creates user accounts which allow my members to become affiliates. These affiliate accounts are managed by the third party script and are accessed using the same username and password as it assigns for the protected folder.

I want my members to be able to enter the affiliate management function part of the third party script with one click from the protected folder without having to re-enter their login information, since it is the same and they are coming directly from the protected folder on the same server.

Since you have mentioned the encryption factor of the PHP_AUTH_PWD, I am thinking I need to research that part a bit.

Thanks, and if you have any ideas, please let me know.

Kirk

I think that is going to be your biggest hurdle is the password. Since this is normally encrypted you will need to store the plain text version in your database and then query the database when you want to prefill the form.

I think that is going to be your biggest hurdle is the password. Since this is normally encrypted you will need to store the plain text version in your database and then query the database when you want to prefill the form.

I just checked a script another guy had developed for me and he is using the password directly in an echo statement. When I look at the data where it is inserted, it is in text, so apparently when it is retrieved, Apache decrypts it in PHP_AUTH_PWD.

I tried to use his stuff, but in that usage it is on another of my domains plus we had access to the code of the receiving page.

Thanks,
Kirk

This article has been dead for over six months. Start a new discussion instead.