0

I'm trying to bypass the .htaccess default username and password form with a customised form of my own.

I still want all passwords to be authenticated as .htpasswd file does.

My protected directory is members folder. I'm new to PHP so still trying to get my head around it.

I have checked some similar posts on this site and can't seem to get things working:

Replace Htaccess popup box with a html form?

How can I style a .htaccess password protection promp?

HTML:

<form action="<?=$PHP_SELF?>" method="post">
    <div class="title">
        <h2 class="section-title">Members Only Login</h2>
    </div>

    <div class="card_container">
        <label for="user"><strong>Username</strong></label>
        <input type="text" placeholder="Enter Username" name="user"    required="">

        <label for="pass"><strong>Password</strong></label>
        <input type="password" placeholder="Enter Password" name="pass" required="">

        <button type="submit">Login</button>
        <label>
            <input type="checkbox" checked="checked" name="remember"> Remember me
        </label>
    </div>

    <div class="card_container" style="background-color:#f1f1f1">
        <button type="button" class="cancelbtn">Cancel</button>
        <span class="pass"><a href="https://ajayswebdesign.com.au/dromanavalleyprobus/index.html#info4-38&#10;">Forgot password?</a></span>
    </div>
</form>

PHP:

<?php
    if (isset($_POST['done']))
    {
        $url = "ajayswebdesign.com.au/dromanaprobusclub/members/";
        $site = "https://".$_)POST['user'].":".$_POST['pass']."@".$url;
        header("Location: $site:);
    }
?>
misterManSam
  • 24,303
  • 11
  • 69
  • 89
Andy Welch
  • 23
  • 7
  • 2
    There is no way around the generic basic auth pop up in the browser. You'll have to use it or go with a solution that doesn't use it. – GetSet Oct 24 '19 at 05:17
  • What @GetSet is true, that form of authentication lives inside the prococol layer, you cannot intercept that by means of PHP, since that comes into play only afterwards. What you _can_ do is use another form of authentication. Typically that involves a user management implementation (thousands exist) which has its own database or flat file storage strategy. There also are such using the PAM system known from unixoid systems (so Linux) which offers unbelievable flexibility. Or you authenticate against some LDP system. Endless options. But you handle authorization on the appliaction level then. – arkascha Oct 24 '19 at 05:55
  • @arkascha It would be nice though if basic auth could be customized. I think it was written in the days when the *web* was only used by the scientific communities and thus it sufficed. Now its only UX purpose is steer away the too curious and the nefarious. Terms of *protected* status, that has invaluable uses despite its arcane UI interface upon browser hits. – GetSet Oct 24 '19 at 06:09
  • @GetSet Not sure about that... Actually the "BasicAuth" feature defined in the protocol and implemented in all relevant http servers does not include any UI components at all. It is up to the client to ask authentication credentials from the user, so typically a web browser. Their implementation is hardly anything you can blame on the mechanism triggering that. One can easily implement an own solution and in fact many, many applications do exactly that. But if you stick with a traditional web application then,yes, it often is presented by the browsers in a technical and alien appearance. – arkascha Oct 24 '19 at 07:02
  • @arkascha. I see where you are coming from. From the navigable web to such a folder is what I meant on UI. Has invaluable uses when not coming from that apsect as a programmer, is also what I mean. – GetSet Oct 24 '19 at 07:10
  • @GetSet I think it is important to remember that what is total referred to as the "Web" is only a small part of the internet. – arkascha Oct 24 '19 at 10:35

0 Answers0