> I have .htaccess set up to restrict access to a secure directory on
> Apache 1.3b6 using a gdbm password file. Right now Apache give the
> username/password dialog box for authentication when somebody accesses
> the secure directory. I want to make something that looks nicer, like
> a web page with a username and password form, but I can't figure out
> how to pass the username/password to Apache so Apache's built in prompt
> will be bypassed, yet the user will be authenticated.
The key isn't passing the password and user name to Apache, but to the
webbrowser. In HTTP the server does not maintain state information on
clients (this is not entirely the case now with sessioning and cookies).
The state of authentication needs to be held in the browser client, and
not in the web server.
I don't know of any way of setting user name and password in the web
browser dynamically (with some server header or with some JavaScript).
If you could set HTTP authentication headers for clients from the
server, I would consider it a serious security flaw in the browser.
There are ways around this, notably you can use cookies or sessioning
instead of standard HTTP authentication, though I wouldn't recommend it.
Many websites use this approach where they are more concerened with
tracking users than protecting resources.
thornton
by