Re: options for an authorization scheme

[Andrew Cockburn <ac...@aqualog.co.uk>]

Did anyone ever post an answer to this ? I have a similar problem, but want
to attack it from a different angle. I too have a nice pleasant login form,
and cookies to store identity. I also have a fair amount of static html that
I want to protect from unauthorised access - who is authorised depends on
several factors, not just wether or not they have a valid username/password
for the site. I can generate htaccess files and a password file from my
database very easily. The only problem is that I want to avoid the standard
browser authentication window from popping up when static content is asked
for. Is there a way of convincing the browser that it is 401 authenticated
without the user seeing anything ? The idea is that I would do this as they
were logging in, so they could access all content available to them without
any further username/password input.

Any suggestions gratefully recieved,

Regards,

Andrew Cockburn

----- Original Message -----
From: <So...@aol.com>
To: <ge...@jakarta.apache.org>
Sent: Thursday, September 14, 2000 8:47 PM
Subject: options for an authorization scheme


> Looking for any ideas on the subject.  Here is the situation. From server
level I want to prevent pages from being served to clients who have not
logged in. So someone cannot enter www.site.com/folder1/hiddenpage.html
> and see that page if they have not yet logged in. I know about Apache
Basic Authorization, but we have a real nice login page and I do not want to
make the user have to enter their uid and pw into an unsightly pop up
window. Now , after a user logs in, ofcourse a session cookie is places on
his browser, so can you configure apache to protect certain directories by
checking  for a session cookie.   Any other ideas? Appreciate it, JB
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org

Re: options for an authorization scheme

[Paul Hethmon <ph...@marketlinx.com>]

Andrew Cockburn wrote:
> 
> Did anyone ever post an answer to this ? I have a similar problem, but want
> to attack it from a different angle. I too have a nice pleasant login form,
> and cookies to store identity. I also have a fair amount of static html that
> I want to protect from unauthorised access - who is authorised depends on
> several factors, not just wether or not they have a valid username/password
> for the site. I can generate htaccess files and a password file from my
> database very easily. The only problem is that I want to avoid the standard
> browser authentication window from popping up when static content is asked
> for. Is there a way of convincing the browser that it is 401 authenticated
> without the user seeing anything ? The idea is that I would do this as they
> were logging in, so they could access all content available to them without
> any further username/password input.


Something we've used successfully is to do a redirect after the initial
browser login screen giving the user auth info in the url. You have to
be careful here though because a simple redirect will show the username
and password in the address bar, so you have to hide it in a frame and
then reload your page from there. What this does is allow you to use basic
auth across multiple servers with only a single login. It doesn't quite
do what you want since you're trying to not use basic auth, but you still
might be able to use the principle.

Paul