Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

override/fake HTTP auth by sending header(s)?

Status
Not open for further replies.
shadedecho

shadedecho

Programmer
Joined
Oct 4, 2002
Messages
336
Location
US
Ok, I have a directory which is protected by a .htaccess file which requires a username/password to be entered at the prompt before accessing the pages inside it. In 99.99% of the cases, this is what I want.

BUT... I have a trusted application that I (and only I) log into (using PHP and sessions, not HTTP Auth) where I do other system management, and from inside that application, I'd like to be able to launch a new window and have that window be able to load files from that protected directory without having to deal with the .htaccess HTTP Authentication prompt. Yeah, yeah, I realize the security risks, but I know for sure I'm the only one who get to this script anyway.

At first, it seemed like this wouldn't be possible to "fake" or "force" the HTTP Auth in the browser's cache. But, now, I think I have an idea, I just can't seem to find specific documentation which would tell me the info I need.

What I am thinking is that I can have the new window launched, and it loads a PHP script (which resides in a non-HTTP-protected directory) in it at first, and that script sends back a set of headers to the browser like the header, which loads the AUTH headers into the window's local cache, making it think it already logged in with a certain set of appropriate credentials. Then (either using PHP or using javascript) that page redirects to the page in the protected directory... since the HTTP Auth would be in that window's local cache, it shouldn't prompt for the username/password.

I've found tons of documentation on how to kill the HTTP Auth by sending headers to the browser, so I think there must be a way to send the other parts of the headers to it as well. Does anyone know how I would go about this?
 
Sort by date Sort by votes
It's helpful in the sense that it talks about the "Authorization" header, and its format. Seems like you should just be able to send that header to the browser and it would cache that username/password pair. Unfortunately, I tried this with:

header("Authorization: Basic ".base64_encode("$myun:$mypw"));

no errors occur, but the authorization is not cached by the browser (using IE 6+) because i then try to switch to a directory that has HTTP auth on it, with that same username/password pair as a valid pair for input, and the prompt still comes up. :( Maybe there's some other header I need to send along with the authorization header?

Or, maybe to get it to "cache" in the browser, I need use some sort of setCookie to store the pair in a cookie on the client? What's the name/format of that cookie, I wonder? Anyone know how IE actually caches HTTP AUTH info?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rmak78
  • Locked
  • Helpful tip Helpful tip
LIMIT USERS ACCESS PER DAY BY IP
Replies
0
Views
469
rmak78
rmak78
PeDa
  • Locked
  • Question Question
php constant in mail header
Replies
2
Views
469
PeDa
PeDa
PeDa
  • Locked
  • Question Question
Basic Authentication fails to authenicate
Replies
0
Views
587
PeDa
PeDa
PeDa
  • Locked
  • Question Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
940
feherke
feherke
W
  • Locked
  • Question Question
how to send checked row data in php
Replies
0
Views
596
wiltang2004
W

Part and Inventory Search

Sponsor

Back
Top