Domain to Domain HTTP Authentication

Fix it!!

Domain to Domain HTTP Authentication

Postby dsteinbach » Mon Feb 25, 2008 5:05 pm

I would like to POST http login credentials from domain A to domain B. Internet Explorer used to allow this type of url: http://username:password@www.somedomain.com/
But this was a phishing problem so they dont allow it anymore. Im not sure if there is a more simple way but I came up with this...

I POST from domain A to a script on domain B that sets the user/pass as cookies. This script resides in a directory that does not require http authentication. This script redirects to the member's home page (protected directory) which contains the following mock code:

If cookie "user" and cookie "pass" are set {
` run through AuthMySQL
` if (fail) prompt for Username/Password
` if (success) write cookies

} else {
` prompt for Username/Password
}

Is this possible with mod_rewrite? And if so, does anyone know mod_rewrite enough to maybe give an example??? Ive been sifting through documentation but cant find any examples that work.

-Dave
dsteinbach
 
Posts: 2
Joined: Mon Feb 25, 2008 4:47 pm

Postby richardk » Tue Feb 26, 2008 4:15 pm

` if (success) write cookies

What version of Apache are you using?

` run through AuthMySQL
` if (fail) prompt for Username/Password

I'm not sure mod_rewrite can do that. AuthMySQL probably looks for headers to find the username/password. Do you have access to the httpd.conf file? You might be able to write a script and run it with a RewriteMap to do the authentication.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby dsteinbach » Tue Feb 26, 2008 7:22 pm

Running: Apache/2.0.54
And I do have access to my httpd.conf file.

You are saying I can have every request run through an authentication script first?
dsteinbach
 
Posts: 2
Joined: Mon Feb 25, 2008 4:47 pm

Postby richardk » Fri Feb 29, 2008 1:09 pm

You can define a RewriteMap to run a program when a RewriteRule is matched. The RewriteMap must be defined in the httpd.conf (or a file Included into it, not a .htaccess file).
Code: Select all
Options +FollowSymLinks

RewriteMap yourprog prg:/path/to/program

# Deny access it the yourprog RewriteMap returns false.
RewriteCond ${yourprog:%{HTTP_COOKIE}} ^false$ [NC]
RewriteRule .* - [F,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 4 guests

cron