[TriLUG] htaccess

skippy1 at hickorytech.net skippy1 at hickorytech.net
Fri Mar 25 22:32:49 EST 2005 

> Steve Hoffman wrote:
>
>>Looking for a php pro out there...I basically am trying to mimic
>>htaccess authentication on our server, but I want to use a custom login
>> page...not the popup window.  I can do the whole process myself, take a
>> username/password pair, encrypt the password and compare it to the
>> encrypted password in .htpasswd, but the problem is, the program I'm
>> trying to access, doesn't recognize this as valid authentication.
>>
...
>>
>>I don't mind redoing the method, but the requirement is that the login
>> page needs to be customized to each customers website so that's why the
>> popup won't work.

As Aaron say below, if you want to get rid of the popup window completely,
you'll have to abandon Apache's builtin Auth.  That said, why not do a
customized page for each site that has a link or button to the stats. 
Htaccess protect the stats as normal with a custom Realm for each site. 
That way you get the best of both worlds -- a custom page and the easy
htaccess setup.

One thing that sometimes causes problems when password protecting Awstats
is the way it separates the static data and icons and the dynamically
generated graphs.  If I remember correctly, the usual setup is to use a
rewrite in the httpd.conf so that every site uses one central awstats
binary for the dynamic part while storing the icons and data in a separate
directory for each site.  Different browsers cache the auth data in
different ways, so depending on your setup the browser may think that the
two different sets of requests need different auth and may prompt for the
password multiple times.  If you do run into this there are ways around
it, but you may have to fiddle with it a bit.

Aaron wrote:
>
....
>
> Now having said all that, you can get similar functionality with out
> using Basic authentication, but you have to go away from Apache's Basic
> authentication all together.  You'll then need to wrap up each of your
> scripts to look at some cookie, or session variable, or any of the other
>  traditional ways of passing around "this user is already authenticated"
>  information in PHP.  Perhaps some one can step in and explain a way to
> extend the security checking of Apache to protect a directory with an
> external script ... something in my gut tells me that's probably
> possible ... but I'm not the guy who can explain how to do it.  :)

There are several that I know of, usually built as apache modules.  The
one I've worked with was mod_auth_pgsql with let you put directives in the
.htaccess telling it which database and table to get the auth info from. 
There are a variety of others out there.  Google for mod_auth should get
you most of them.  Check out http://mod-auth.sourceforge.net/, though it
seems to be apache2 specific.

Skippy

More information about the TriLUG mailing list