I have been tasked with making some internal software (as you can probably tell from the section I'm posting in, it's PHP based). I have been asked to make it so the user is automatically logged in and doesn't need to have another password for another piece of software. The trouble is, I'm not sure if this would be possible in PHP.

The software is purely internal and would have absolutely no outside access.

I know that all the end users would be on Windows computers and all the usernames are in the same format so all I would need is to somehow be able to check what user is logged in.

The idea is that an employee (we'll call him John Doe) comes in and logs on to his computer. The idea is that he can just open his web browser and go to the internal URL and it would see that the current Windows user accessing the page is "john.doe" (or possibly "DOMAIN\john.doe") so it will automatically log him in and give him access to what he is allowed/needs access to.

So basically my question is this: Is it possible to check the Windows username of a visitor to a page?

I'm not sure if I've described it well enough (or overdescribed it) so let me know if you want clarification.

As explained in the stackoverflow thread, this would be a MAJOR security breach! If the user has logged into your server previously, the login information could be saved in the browser's password database, or as a cookie. If a cookie was saved, you could access it from there. In any case, getting the user's REAL Windows (or Linux) login ID is very bad juju!

Looks like everyone will have to type in login details then.


Resolved but not really solved!

Other options could be to use the IP address or to install a local program that would start the browser and pass a (logged-in) user name (or possibly an encrypted version that could then be cross-checked against the IP). I use Autoit to build local desktop apps and it would be capable of doing this. It requires a little bit of setup on each machine but once that is done, it would be dead simple for the user to click on a desktop shortcut to start his login to the php app.

Using the IP address is not a suitable solution. That would rely on there being no staff changes and having only one person use that particular computer.

Your other solution is basically just logging in. The idea is so they just go to the page in their browser and they're logged in.