httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Sean Conner)
Subject Re: [users@httpd] Enable/Disable .htaccess' require valid-user with
Date Sun, 23 Oct 2005 06:57:15 GMT
It was thus said that the Great Dan Trainor once stated:
> Sean Conner wrote:
> > It was thus said that the Great Dan Trainor once stated:
> > 
> >>The initial authentication would take place via PHP form.  I understand
> >>how 'require valid-user' works, and how it's used.
> >>
> >>I figured out a way to do it, I'll re-post later on after I test a bit.
> >>  I'm using PHP to use apache_setenv(), and then using IfDefine inside
> >>an .htaccess file here.  It looks to be working....  like I said, I'll
> >>update you on this a bit later after I test more.
> > 
> > 
> >   Is there a reason why the authentication has to be done via PHP and not
> > through Apache?  This seems very awkard to me.
> > 
> It's for a secondary authentication implemeneted by PHP, instead of 
> .htaccess.  The hope is, that I can set an env var in Apache that would 
> make it so that Apache did not require a valid user using 'AuthType 
> Basic'.  I'd liek to use this PHP script in conjunction with existing 
> authentication systems, such as those using htaccess as we know it today.
> Would something like this be totally outrageous?  Am I completely out of 
> my mind?  Can I even use IfDefine in this context?
>          require valid-user
> </IfDefine>
> ...if I were to define an Apache env var named SKIPHTTPAUTH from within 
> a PHP script?

  I don't think that would work.  Given that PHP requires the fork model (I
wouldn't trust PHP to run correctly under a threaded version of Apache, and
neither do the PHP guys from what I understand), even if you do set the
environment, and if the Apache process can see that environment variable,
it's only set in the process that did it and subsequent requests for pages
may not be served by that particular process.  You would have to have some
means of propagating that environment variable to the other Apache
processes (and before you ask, such a task would require modification to
Apache since environment passing between sibling processes, or from a child
process back to the parent process, is not something I've ever seen
done---not saying it's impossible, but it is quite a bit of work).

  And even then, *if* you were to get this to work, what would the
environment variable look like?  What happens if two users hit the same page
at the same time, one authenticated and one not?  How does Apache know which
one to let through?

  -spc (You do know that the Apache authenticated user is available to
	CGI scripts, through the REMOTE_USER environment variable?)

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message