Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: Detect logon ID from Browser

by Cyrnus (Monk)
on May 16, 2002 at 00:13 UTC ( [id://166886] : note . print w/replies, xml ) Need Help??

in reply to Detect logon ID from Browser

For the first part of your question you should put all the pages you wish to protect inside folders and use the .htaccess file to specify users. on my host which is running apache under Redhat I have a folder with administrative tools. Two files are used to set up the autorization for that folder they are as follows (paths changed of course):

AuthName Authentication
AuthType Basic
AuthUserFile /path/to/protected/directory/.htpasswd
<Limit GET POST>
Require valid-user


Read up on .htaccess files for more info. I believe there is a way for it to use the /etc/passwd file for authentication but am unsure of the specifics.

For the second part of your question this node contains a peice of code that will tell you what information you can get from the %ENV hash.


Replies are listed 'Best First'.
Re: Re: Detect logon ID from Browser
by TexasTess (Beadle) on May 16, 2002 at 00:41 UTC
    Hey! Thanks for the quick reply! Let me expand my question a little bit... I am going to require the user to enter a logon id before they are granted entry, I then want to verify that the logon ID and the individual entering are one and the same..then check to see they are on the list of accepted users. I don't want to check passwords nor do I want to require a password to gain entry.... Is this a bit clearer? Thanks in advance..
      Unfortunatly, what your looking for may not be possible. The problem is, it's really trivial for a browser to fake information like that, you'd be diving head first into a security nightmare.

      There may be a way around that though, but it might cost a few dollars. In the same way that a web server needs a digital certificate in order to do secure transactions, browsers can be given certificates too, in order to verify a person's identity. You'd have to go through a company like Verisign to do that, and you might end up spending $50 a user or so. On the server end, you could have some code to check the certificate the browser is presenting you with. If you recognize the certificate, you could authenticate them.

      Thats about the only way you can verify a users identity, without asking for a password. And then, that only works so long as the user doesn't have their certificate stolen ;-)

      Hope that helps!

      Lucy: "What happens if you practice the piano for 20 years and then end up not being rich and famous?"
      Schroeder: "The joy is in the playing."
      I was recently in a similar position to you - needing an authentication system to be used in an internal intranet, and I really didn't like the idea of a password system - after all, we're a small friendly company, where everybody knows everybody else, and we can all be trusted, right?
      Your users, like mine, probably can be trusted, but I think that authentication is about more than just trust.

      I ended up building a system based on Apache::AuthCookie that required passwords and usernames, which works pretty damn well. To my surprise, there was not a murmer of complaint from the users - in fact the authentication has proved to be useful by providing accountability: "Ah, Fred moved this frobulator last Tuesday, I'll go talk to him"
      Basically, authentication systems can be well worth the effort, and a password-based system doesn't have to be that hard to use, so I'd advise thinking about whether the standard username/password combo would really be that much of a problem.
      This is total and utter opinion, so feel free to ignore my ramblings :-)
      Is this going out live?
      No, Homer, very few cartoons are broadcast live - it's a terrible strain on the animator's wrist
Re: Re: Detect logon ID from Browser
by TexasTess (Beadle) on May 16, 2002 at 20:03 UTC
    First, thanks to all who have replied to this request

    I think I have figured out how I am going to implement my system. The logon accounts preset certain netscape parameters, and I checked it out today. In the preferences section there is an option to use your email address as a password for anonyomous (gosh I can't spell!) FTP, I think I can get that information by making the request (not sure about this..didn't have time to research it) and verifying that their logon is in the list provided by the administrator of the tool. I can also take this information and set it to a variable to sign any entries they make and I think it will work. I tried changing my settings today and as soon as I rebooted it reset to the defaults, so a user would really have to be deliberatly deviant to trick the system. I really have little concern for security on this intranet and my users already have a chitload of passwords to remember..each one has at least 7 or 8 so I don't want to force any more.

    Any thoughts on this idea would be greatly appreciated!

    TexasTess :-)