Login and password in the URL
Solved
heliconius
Posted messages
584
Status
Membre
-
heliconius Posted messages 584 Status Membre -
heliconius Posted messages 584 Status Membre -
Good evening everyone,
When accessing a protected web space with a login/password through .htaccess and .htpasswd files, there are two ways to proceed:
1) either you type the URL of the protected space in the browser's address bar and enter the login and password in the dialog box that then appears,
2) or you directly include the login and password in the URL in this format:
I have tested this and there is no issue with Firefox or Opera. However, if you try this with Internet Explorer, it displays that the requested page is not available.
My question: Is this completely prohibitive with Internet Explorer or is it just a configuration issue with this browser that I haven't found where to change?
(NB: IE versions tested: IE v8.0 on XP and IE on Windows 10)
Thank you for your help and responses.
Configuration: Dual boot: Windows XP Pro SP3 / Debian Linux
--
A problem without a solution is a poorly posed problem. (Albert Einstein)
When accessing a protected web space with a login/password through .htaccess and .htpasswd files, there are two ways to proceed:
1) either you type the URL of the protected space in the browser's address bar and enter the login and password in the dialog box that then appears,
2) or you directly include the login and password in the URL in this format:
http://login:password@www.thesite.com
I have tested this and there is no issue with Firefox or Opera. However, if you try this with Internet Explorer, it displays that the requested page is not available.
My question: Is this completely prohibitive with Internet Explorer or is it just a configuration issue with this browser that I haven't found where to change?
(NB: IE versions tested: IE v8.0 on XP and IE on Windows 10)
Thank you for your help and responses.
Configuration: Dual boot: Windows XP Pro SP3 / Debian Linux
--
A problem without a solution is a poorly posed problem. (Albert Einstein)
1 réponse
Hello,
I am repeating my question, just in case...
I have a website with many users who can access a protected members area. By principle, I do not want to use cookies. To protect a part of the hierarchy with a password without using session cookies, I only know the use of .htaccess and .htpasswd files.
I am not sure if using these files is the right solution when there are many users, as the .htpasswd file might contain more than 30 to 40 lines. So I came up with the idea to only put one line in this file:
To access, the user types HIS login and password, the script searches the users table for the record with the login and passwords that match those entered, and if it's correct, it accesses the page with a URL that contains the login and password corresponding to those in the .htaccess file.
The URL format is as follows:
As it appears in the URL, to prevent the password from being easily read and memorized, I took some arbitrary text ("Member_of_the_site") on which I applied a SHA1 hashing function which gives: e316172fe615d62a2c16b33857f28ebf45c98680 constituting the access password to the protected area, then I used the crypt() function on this password in order to write the line for the .htaccess file to read:
The access script is as follows:
It works very well under Mozilla Firefox (on Windows XP and Windows 10), under Opera (the same versions) but does not work with Internet Explorer (neither Windows XP nor Windows 10) which displays a message stating that the requested page does not exist (in fact, error 404).
My question: Is it a configuration issue with this browser? If so, where do I configure it? It would not surprise me, but it would seem inconceivable that Microsoft does not comply with the URL standards that other browsers respect. If IE is really unable to do this, how should I proceed without using cookies?
Thank you for your help.
--
A problem without a solution is a poorly asked problem. (Albert Einstein)
I am repeating my question, just in case...
I have a website with many users who can access a protected members area. By principle, I do not want to use cookies. To protect a part of the hierarchy with a password without using session cookies, I only know the use of .htaccess and .htpasswd files.
I am not sure if using these files is the right solution when there are many users, as the .htpasswd file might contain more than 30 to 40 lines. So I came up with the idea to only put one line in this file:
member:passwordand in a database table, the list of users and their respective passwords (hashed) in the fields user, login, password.
To access, the user types HIS login and password, the script searches the users table for the record with the login and passwords that match those entered, and if it's correct, it accesses the page with a URL that contains the login and password corresponding to those in the .htaccess file.
The URL format is as follows:
http://login:password@thesite.fr(this is a web standard)
As it appears in the URL, to prevent the password from being easily read and memorized, I took some arbitrary text ("Member_of_the_site") on which I applied a SHA1 hashing function which gives: e316172fe615d62a2c16b33857f28ebf45c98680 constituting the access password to the protected area, then I used the crypt() function on this password in order to write the line for the .htaccess file to read:
member:Mo068OjVTLNaI
The access script is as follows:
<?php /* Base password: Member_of_the_site SHA1/Password: e316172fe615d62a2c16b33857f28ebf45c98680 = web space mdp line in .htpasswd: member:Mo068OjVTLNaI */ // init.php: Connect to the DB // + function ExecRequete() that returns the result of a query require("lib/init.php"); ?> <html> <head> </head> <body> <?php if($_POST["submit"]) { $salt = "MySite"; $login = trim($_POST["login"]); $passwd = crypt(trim($_POST["passwd"]),$salt); $requete = "SELECT * FROM Users WHERE login='$login' AND passwd='$passwd';"; $resultat = ExecRequete($requete,$connexion); $r = mysql_fetch_object($resultat); if($r->passwd == $passwd) { header("location: http://member:e316172fe615d62a2c16b33857f28ebf45c98680@mysite.fr/users"); } } ?> <form name="access" method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>"> Login: <input type="text" name="login" size="25"><br/> Password: <input type="password" name="passwd" size="25"><br/> <input type="submit" name="submit" value="Access"> </form> </body> </html> It works very well under Mozilla Firefox (on Windows XP and Windows 10), under Opera (the same versions) but does not work with Internet Explorer (neither Windows XP nor Windows 10) which displays a message stating that the requested page does not exist (in fact, error 404).
My question: Is it a configuration issue with this browser? If so, where do I configure it? It would not surprise me, but it would seem inconceivable that Microsoft does not comply with the URL standards that other browsers respect. If IE is really unable to do this, how should I proceed without using cookies?
Thank you for your help.
--
A problem without a solution is a poorly asked problem. (Albert Einstein)
Thank you?
The member must register (login and encrypted password stored in a database).
Upon logging in, we retrieve the login, encrypt the password, and search for both pieces of information in the database. (I do not need to know the members' passwords)
Access is granted if there is a match. Access to the protected area is allowed as long as the browser remains open or there is activity within the last two hours. If the browser is closed or there is inactivity for two hours, a reconnection is required.
For now, that works for me