Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 6 of 6

Thread: Form

  1. #1
    Junior Member
    Join Date
    Sep 2005
    Posts
    2
    Member #
    11293
    Hi,

    Does anyone know how to passs a username and password to a pop up box? Like when you password protect a directory and then go to it a box pops up asking you to input a username and password. Is there a way to make a form that it will take the username and password that is inputted into the form and automatically input it into the pop up box?

    Thanks!

  2.  

  3. #2
    Senior Member seanmiller's Avatar
    Join Date
    Sep 2003
    Location
    Glastonbury, UK
    Posts
    868
    Member #
    3263
    Liked
    1 times
    You're talking .htpasswd type password protection I assume?

    There used to be syntax when calling a webpage which allowed you to call http://usernameassword@mydomain.com which would effectively do as you asked but Microsoft released a patch a little while back that disables this functionality unless you tweak registry settings. So, effectively, you can't rely on it...

    I am not aware of any way of pre-populating an .htpasswd dialogue box from a webpage but this is not really my area of expertise.

    Sean

  4. #3
    Senior Member visualAd's Avatar
    Join Date
    Jan 2003
    Location
    Slough, UK
    Posts
    201
    Member #
    434
    Like seanmiller said, passing a username and password in a link will cause at the very least a security confirmation warning to be displayed, asking the user if the are aware that they are submitting a username and password.

    If you are using PHP, you can have the script carry out the authentication on the users behalf, this however would involve making the HTTP request from the server the PHP script runs on and send the WWW-Authenticate headers manually. Something which, if possible should be avoided.

  5. #4
    Junior Member
    Join Date
    Sep 2005
    Posts
    2
    Member #
    11293
    How do you send the Authenticate headers manually?

  6. #5
    Senior Member visualAd's Avatar
    Join Date
    Jan 2003
    Location
    Slough, UK
    Posts
    201
    Member #
    434
    Sorry for the delayed reply. Like I said in my previous reply, I do note recommend you use this method and if you do, you pay close attention to the security implications and make sure you lock the script down. I'll explain about this later though.

    The following script basically allows the user to supply it with a user name, password and the URL of the page you need access to. When the information is submitted the script makes an HTTP request on behalf of the user with the supplied use name and password information. The results of this request, the source code, are then displayed.

    All links in the HTML output need to be replaced with the path to the script, this ensures that if the user clicks any of them, it also replaces all image links to, but not CSS @import() links (this can of course be coded in).

    Two things to note about this script, I've used the GET method for the form; this ensures that all variables are passed in the query string. The second is that you need to modify all external links to images, style sheets and links so that they point to the original script and append to the query string the user name and the password. I would recommend instead of passing the user name and password in the query string however, you use a server side session and a session ID instead.

    You can see in the script that it modifies all links in the html with src,href and action as their attributes. The regular expression used here doesn't take into account whether or not its inside an HTML tag though, so you may want to modify that.
    PHP Code:
    <?php
        $action 
    = @$_GET['action'];

        if (
    $action == 'display') {
            
    /* check for required info */
            
    if (isset($_GET['auth_url'])) {
                if (
    strtolower(substr($_GET['auth_url'], 07)) != 'http://') {
                    
    $url "http://{$_GET['auth_url']}";
                } else {
                    
    $url $_GET['auth_url'];
                }
            } else {
                
    $msg 'No url sent';
            }
            
            
    $user = @$_GET['auth_user'];
            
    $password = @$_GET['auth_pass'];

            if (! isset(
    $msg)) {
                
    display_page();
                exit;
            }
        }
        
        function 
    display_page()
        {
            global 
    $user$password;
            
            
    $url parse_url($GLOBALS['url']);

            
    $url array_merge(array('host' => '''query' => '''path' => '/'), $url);
            
    $auth_hash base64_encode("$user:$password");
         
            
    /*
             * Note: This does not allow for cookies. It is possible to code but this is just a simple
             * eample
             */
            
    $http  "GET {$url['path']}?{$url['query']} HTTP/1.0\r\n";
            
    $http .= "Host: {$url['host']}\r\n";
            
    $http .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";
            
    $http .= "Authorization: Basic $auth_hash\r\n\r\n";
            
            if (! (
    $hwnd fsockopen($url['host'], 80))) {
                die(
    'Socket Error');
            }

            
    fwrite($hwnd$http);

            
    $response '';

            while((! 
    feof($hwnd)) && (fgets($hwnd) != "\r\n"));

            while (!
    feof($hwnd)) {
                
    $response .= fgets($hwnd);
            }

            
    $response .= "action =test.html2";
            
    $response preg_replace_callback("/(src|href|action)\s*=((\s*\"(?U)(.*)\")|(\S+))/i"'parse_link_callback'$response);
            
            echo(
    $response);
            
        }

        function 
    parse_link_callback($matches)
        {
            global 
    $user$password;
            
            
    $url parse_url($GLOBALS['url']);
            
    $url array_merge(array('host' => '''query' => '''path' => '/'), $url);

            
    $uri = isset($matches[5])?$matches[5]:$matches[4];
            
            if (
    strpos($uri'://') !== false || substr($uri01) == '#') { // ignore external links and links to the current page
                
    return $matches[0];
            } else if (
    substr($uri01) != '/') {
                
    /* make relative URL's absolute */
                
    $uri dirname($url['path']) . $uri;
            }

            
    /* replce &amp with & */
            
    $uri str_replace('&amp;''&'$uri);
           
            
    $url urlencode('http://' $url['host'] . $uri);

            
    $query_string "action=display&amp;auth_url=$url&amp;auth_pass=$password&amp;auth_user=$user";

            
            return 
    "{$matches[1]}=\"{$_SERVER['PHP_SELF']}?$query_string\"";
        }
            
    ?>
    <html>
        <head>
            <title>WWW-Authnticate Script</title>
        </head>
        <body>
            <form action="<?php echo($_SERVER['PHP_SELF']) ?>" method="GET">
                <table>
                    <tr>
                        <td><?php echo(@$msg?></td>
                    </tr>
                    <tr>
                        <td>URL of protected page:</td>
                        <td><input type="text" size="50" name="auth_url" /></td>
                    </tr>
                    <tr>
                        <td>Username:</td>
                        <td><input type="text" name="auth_user" /></td>
                    </tr>
                    <tr>
                        <td>Password:</td>
                        <td><input type="password" name="auth_pass" /></td>
                    </tr>
                    <tr>
                        <td><input type="hidden" value="display" name="action" />
                            <input type="submit" value="Login" /></td>
                    </tr>
                </table>
            </form>
        </body>
    </html>
    A couple of points though:
    • I do not recommend you use this script in any kind of public domain and if you do I strongly advise that you lock it down real tight so you know exactly who uses it and hat for. It in effect turns your site into an open proxy, something which you do not want
    • Again, this isn't the most elegant method of getting around the problem - it will probably confuse some users and make others suspicious, as the address of your site will still be visible in the address bar.

  7. #6
    Junior Member
    Join Date
    Oct 2005
    Posts
    7
    Member #
    11534
    looks dangerous. LOL


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 11:27 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com