[thelist] username:password in URLs
noah
noah at tookish.net
Wed Feb 4 16:44:01 CST 2004
I hope this isn't something that's already been discussed -- I've fallen
behind a little on my reading (only 2482 messages behind). I searched
for it but didn't find anything. If it has been discussed, please
forgive me and point me to the subject. Thanks.
In case it hasn't been discussed, and in case anyone doesn't know
already, the latest IE/Windows update has disabled URLs in the format:
<http://username:password@domain.com/>
I've tested it, and sure enough, they don't work. I get an "Invalid
Syntax Error," and the standard IE "This page can not be displayed" page
(even though I have a custom error page defined, but I'm not worrying
about annoying little things like that yet).
My problem is that I have a small PHP application that requires that the
username and password be sent through the URL in order to work. Most of
the app is protected with session-based authentication, but for certain
pages, I can't include session-calling code at the top, so I put them in
an .htaccess/.htpasswd protected directory, and pass the username and
password through the URL.
I realise that this is not particularly secure. These aren't state
secrets I'm protecting, though, so I'm not worried about that.
So my question is, is there another way to send the username/password
transparently through PHP? I can see that the variables exist in the
fetched page as:
_SERVER["PHP_AUTH_USER"] and _SERVER["PHP_AUTH_PW"]
but I can't figure out how to send the values to the page I'm
requesting. I've found plenty of scripts to add users, add groups, etc.,
but nothing to just retrieve a protected page without having to type the
username/password.
Any advice greatly appreciated.
Cheers,
Noah
More information about the thelist
mailing list