htaccess and login

[dmadance]

Does anyone have a good script that can create a login to a site protected by htaccess. Also does someone have a script to logout from a site protected by htaccess.

I was thinking the logout could be done with AJAX by asking for a url http://randomstring:randomstring@mysite.com and when that fails to somehow redirect to the homepage. Is this feasable? If somebody has already done this I would love the code.

I know one can do logins with "http://usernameassword@mysite.com", does anyone have a script of some sort that can take userame and password as inputs to a form, and only goes to the page if authenticated to go the protected site. I think this can be done with AJAX. I am very new to AJAX (just read AJAX in 10 minutes 10 minutes ago) so if someone out there knows this, I would appreciate the helps.

[JohneeMac]

What happens with Javascript disabled?

Can you not use a more standard php / asp log in system?

[gawotn]

"Does anyone have a good script that can create a login to a site protected by htaccess."

I have used this program for years:

SiteInteractive.com - Account Manager Lite :: Free CGI Perl Script

[trabar]

I've used Siteinteractive's Pro version for years. I completely forgot I could use it on the other web site I have planned. After visiting their site again, it reminded me of why I bought it in the first place. (smile).

When I first got it, the tech support for the pro version was outstanding.

Judith
Book Club, Free Self Help Books, Free Fiction Books,Free Money Screensaver, Free Game, Affirmation Movie DVD and more at agoodread.com

P.S. I'm not an affiliate but I may change my mind because I've been very happy with their product.

[chaoley]

Try the following links for just about everything you might want to know about htaccess.

http://www.askapache.com/htaccess/apache-htaccess.html

http://www.javascriptkit.com/howto/htaccess.shtml

[dmadance]

I have looked at the Siteinteractive solution, unfortunately it does too much. I don't need a program that creates the .htaccess file and stores information, I have all that already, I need a program that can login or logout from the directory that is already protected, and then redirect appropriately to my existing account creation scripts or the homepage.

I have not seen a way to do this other than the brute force method in the browser window for logout is to try to force a bogus authentication.

[dmadance]

Ok, I figured out a way to do the login with a perl script. All I did was call a script that created a redirect through http-equiv to http://usernameassword@mysite.com. Seems to work great, only issue is that if you try to reauthenticate with bogus information, it keeps the previous authentication, which leads to my next problem.

I now need to figure out a way to do a logout of an htaccess protected file after being authenticated. I tried writing a script that forces a bogus authentication, this didn't seem to work, even though it did work when done through the browser window.

[e-dvertising]

As far as I know and understand .htaccess there is no possibility to logout from an htaccess-protected area, you have to close the browsers window (in FF you have to close _all_ windows!) to make the browser "forget" the login-information for that session.

So if you want do have a solution with "logout" you have to go for
- Session-IDs
- Cookies
- Combination SID and Cookie
...


Annotation: don't use a redirect or anything else like http://usernameassword@... in public 'cause that may cause to get the user/pass-combination in some browsers or even servers logs and history (e.g. some toolbars log that even to search engine results) and that might open up parts of protected areas.

[wige]

e-dvertising is right. You don't actually "log in" to htaccess protected content, so there is no way to actually log out. The username and password prompt that you are shown are not shown by the server, they are generated by your browser. Every time that you access a protected page, the browser is prompted for your username and password. This means that you are actually re-authenticated every time you click on a link. So that you do not need to keep re-entering your password, the browser will remember the last good password either permanently or until the browser is closed. From the server end, you do not have the ability to override this functionality.

Please note, .htaccess IS NOT SECURE as all username/password combinations are transmitted in plain text and can be easily intercepted and used by unauthorized parties to gain access to the protected content.

[jganders]

When authenticated using basic or digest authentication in apache, the username is stored in the http header REMOTE_USER. If you are using php, the username and password are also stored in the http header as PHP_AUTH_USER and PHP_AUTH_PW.
Regarding logout, cPanel has a logout link. It works as dmadance requires. I dont know if cPanel simply deletes the value for REMOTE_USER or something else entirely. But I use it all the time to switch between various remote databases managed with PHPmyAdmin.

[e-dvertising]

i don't know cPanel but i know differnt other panels _and_ i know phpMyAdmin, here you 've got different possibilities to handle the "login" and i guess the one you mentioned is not (only) htaccess-based but uses at least a combined method or even no htaccess at all, cause' esp. with FF you have to close _all_ instances to get rid of the user/pass combination which once has been entered to get a "second" chance to login with another one.

[wige]

If you use a bad username/password combo to force the user to log out, the following happens:

First, the user wants to visit the secure site...
Browser: GET /secureplace/file.html
Server: 401 Unauthorized Authenticate Realm
Browser shows user a password prompt for the realm "Realm"
Browser: GET /secureplace/file.html AUTHENTICATION Realm username:pass
Server: 200 OK

Then the user clicks a link. Since the browser remembers that this directory requires authentication, it automatically includes the username and password.
Browser: GET /secureplace/otherfile.html AUTHENTICATION Realm username:pass
Server: 200 OK

If you use any process to change the login, such as using a URL with a bad username and password embedded, the following will occur:
Browser: GET /secureplace/someotherfile.html AUTHENTICATION Realm baduser:badpass
Server: 401 Unauthorized Authenticate Realm
Browser: GET /secureplace/someotherfile.html AUTHENTICATION Realm knowngooduser:knowngoodpassfromcache
Server: 200 OK

[Clint1]

Quote:

Originally Posted by dmadance

Does anyone have a good script that can create a login to a site protected by htaccess. Also does someone have a script to logout from a site protected by htaccess.

I was thinking the logout could be done with AJAX by asking for a url http://randomstring:randomstring@mysite.com and when that fails to somehow redirect to the homepage. Is this feasable? If somebody has already done this I would love the code.

I know one can do logins with "http://usernameassword@mysite.com", does anyone have a script of some sort that can take userame and password as inputs to a form, and only goes to the page if authenticated to go the protected site. I think this can be done with AJAX. I am very new to AJAX (just read AJAX in 10 minutes 10 minutes ago) so if someone out there knows this, I would appreciate the helps.

(If you use cPanel), just it's "Web protect" or "Protect folders" area (the name depends on your skins used). Once you add a page or folder to this area, you have to enter a user and pass to get access to the page, and you can check the box to remember the login if wanted. No "logout" is required since you're logged out when you leave the page.

[jganders]

Quote:

Originally Posted by Clint1

(If you use cPanel), just it's "Web protect" or "Protect folders" area (the name depends on your skins used). Once you add a page or folder to this area, you have to enter a user and pass to get access to the page, and you can check the box to remember the login if wanted. No "logout" is required since you're logged out when you leave the page.

I dunno about this... on my Apache-cPanel protected folders when you provide uid/pw to login, you remain logged in for the duration of the browser session. You can leave the protected folder and come back all you want w/o having to log back in. The only logout is to close the browser. Clint, maybe you can provide an example of the behavior that you describe?

[Clint1]

Quote:

Originally Posted by jganders

I dunno about this... on my Apache-cPanel protected folders when you provide uid/pw to login, you remain logged in for the duration of the browser session. You can leave the protected folder and come back all you want w/o having to log back in. The only logout is to close the browser. Clint, maybe you can provide an example of the behavior that you describe?

Yes, that's correct. I should have mentioned that, but I didn't. It's a "session login" so-to-speak. I don't think that would be a problem though since no one else could login on another PC without a user & pass. It's the simplest way.