Michele Waldman wrote:
It is different that just authenticating.
Due to an htaccess authentication implementation, it requires a work around
to prevent those pesky popups the browsers produce.
I'm trying to do a spin on this:
http://www.berenddeboer.net/rest/authentication.html
Implementing the mod_auth_digest authenticating against mysql was all part
of this.
Michele
Sounds like you :
a) have your work cut out for you
or
b) can perform the task easily using pre-existing modules.
Problem 1 : If it is the "popup" login that you are trying to avoid, you
can't by switching to "digest" instead of "basic" authentication. The
only way around this is to inject the headers into the authentication on
the SERVER side. An example module doing this is mod_auth_cookie, which
takes a Cookie header (e.g. set by a PHP script) and converts it into
the user credentials as if the browser had submitted basic authentication.
Problem 2 : Getting the popup if the browser didn't send the credentials
(or the cookie as it would inject those credentials for the
authentication). The way around this is to simply redirect to the
"login" page that will "set the cookie" (or whatever you are using to
inject the credentials into the incoming headers). This is a
configuration side :
ErrorDocument 401 /login.jsp
Do not do a full URL redirect, as this will send the redirect back to
the browser. A local URL redirect should allow the page to send contents
back (e.g. a login form).
Let me try walking through an example using mod_auth_mysql,
mod_auth_cookie, and PHP. The user opens their browser for the first
time, and types in the website into the location bar. Browsing down into
the side, they hit a page that is a protected resource according to
apache. The ErrorDocument 401 kicks in using the local URI (which
actually causes apache to create a sub-request to the local URI and
returns the information), and returns a PHP login page. Filling out the
form, and clicking submit, (remember, this will submit to what the PHP
login page said to in the <form> tags), the PHP script sets a Login
cookie, and sends a Location: header back to the browser telling it to
bounce back to the original web page that was requested. (The PHP
scripts would keep track of the Referer when it was hit, and just
redirect back to it). At that point, the browser re-requests the page,
but this time it submits the Login cookie. mod_auth_cookie recognizes
the cookie, and injects the users credentials in the form of a Basic
authentication, and passes control back to Apache. Apache then calls the
mod_auth_mysql module, which verifies against the configured table. If
it is wrong, it rejects the credentials and starts the ErrorDocument 401
process again. If it is right, the page is allowed. And no pesky
authentication dialog box. And the cookie can be set site wide. And
still hide things that should be protected from the user.
Is that as clear as mud?
--
Joe Lewis
Chief Nerd SILVERHAWK <http://www.silverhawk.net/> (801) 660-1900
------------------------------------------------------------------------
/Never invoke the gods unless you really want them to appear. It annoys
them very much.
--G.K. Chesterton/
