There's no way to use basic authentication (the stuff inside HTTP) from web
pages... you can't tell a browser "use this form to ask your user for
passwords".  If you want to manage authentication in web pages, you have to
build the whole authentication/session management system yourself.  Since
you don't want to use cookies, you will have to preserve state on the server
side and redirect the client to all sorts of ugly URLs with unique IDs
embedded inside.  Or you could embed the username and password in the URLs,
which would probably be dangerous from the security perspective and would
probably make users cringe, but would let their browser send that
information at each request.

BUT if your only objection to basic authentication is the "unfriendly" login
box provided by their browser, you should probably accept that the web is
not a medium whereby you should expect or try to mold the complete user
interface.  The popup box that says "Enter password for Bob's Secure Area"
might not have your logos and banner ads, but the user will understand what
it means.  On some browsers they will even be able to do useful things like
save that password for future sessions.  Sure, you could program this whole
thing yourself, but unless you really need a more sophisticated user
structure this way really isn't that bad.

Remember: "less is more."

shimon.

On Tue, Oct 17, 2000 at 02:20:22PM -0500, Ian Frawley wrote:
> Hi all
> 
> Is it possible to authenticate a user without having to use the unfriendly
> login box provided by browsers, without using cookies?
> 
> I have managed to authenticate a user once through some text fields on a
> HTML page but unfortunately this does not make the browser remember the
> user's authentication information. On subsequent requests to the same
> secure area apache requires that the user enters their credentials again.
> 
> Is there a way around this? If so any help would be appreciated. 
> 
> Thanks
> 
> Ian

Reply via email to