HTTP Authentication without the Pop-Up

Re: HTTP Authentication without the Pop-Up

paul brown wrote:[color=blue]
> Is there a way to authenticate using Apache's basic authentication
> without having the pop-up? For instance, can a person use a form that
> authenticates using the built-in authentication? Does that make
> sense?[/color]

Yes. Yes it does.

I don't like the awful HTTP 1.x authentication either. I just use an
HTML form and then use a cookie to keep the credentials. Then you can
access the cookie each time to get the credentials and check them
against the user database.

Not very secure, but neither is HTTP authentication (unless the entire
connection is encrypted with SSL, but I can't afford such luxuries).

A compromise is to use sessions. That way, you can send the password
over an encrypted connection once (saving on bandwidth) and then use
unencrypted sessions to identify the user once they've logged in through
an HTML form. If you check the IP address of the user that claims to be
the session user, you should be able to get good security. Well, good
enough for non-critical applications.

I haven't written code for session-based authentication yet, though. I'm
sure that PHP makes it perfectly possible.
--
Bob
London, UK
echo Mail fefsensmrrjyahe eoceoq\! | tr "jefroq\!" "@obe.uk"

Re: HTTP Authentication without the Pop-Up

"Robert Downes" <nospamplease@s ee.my.signature .con> wrote in message
news:40a6cb51$0 $6323$65c69314@ mercury.nildram .net...[color=blue]
> paul brown wrote:[/color]
[color=blue]
> I haven't written code for session-based authentication yet, though. I'm
> sure that PHP makes it perfectly possible.[/color]

Sure!

PEAR:Auth

works great!

Walter