Autofill and Autosubmit Another Script

So you want to click a link in the protected area causing a form to pop up for another user on another computer prefilling and autosubmitting this data, ultimately logging that person into the protected area?

If that is what you are trying to do, it certainly can be done with some creativity. But the process of doing so would require the filling of many holes. For example:
1. How are you going to ensure that this is the correct user and that it is not someone else without some type of authentication? Without authentication, the only way I see of doing this is the first person that hits this url first gets logged in.
2. Are your passwords encrypted? Since it is the standard apache authentication, I would assume that it is the standard apache encryption as well. I have not researched it but is the encryption reverseable, allowing you to prefill the form?

I don't know if what I am saying is making sense, but there are a lot of holes and security issues with doing this, this is only a couple.

I want to click on a link/button on a page in protected folder "A" that will open a login page in folder "B", fill in the form with the login and password and submit the form so the user can access and use the script in "B." Both are on the same domain on the same server.

Does that help?

I'm certainly not saying that it can't be done securely. I'm just saying that it is going to be a long thought out process and If you want advice from a forum, I could easily see this thread going 100+ posts, minimum.

I'm certainly not saying that it can't be done securely. I'm just saying that it is going to be a long thought out process and If you want advice from a forum, I could easily see this thread going 100+ posts, minimum.

100 Posts! Wow! Oh well, I'm game.

So you want to click a link in the protected area causing a form to pop up for another user on another computer prefilling and autosubmitting this data, ultimately logging that person into the protected area?

See quick reply above.

If that is what you are trying to do, it certainly can be done with some creativity. But the process of doing so would require the filling of many holes. For example:
1. How are you going to ensure that this is the correct user and that it is not someone else without some type of authentication? Without authentication, the only way I see of doing this is the first person that hits this url first gets logged in.

The user is logged in to the first protected folder. It uses Apache Basic Authentication so I have the PHP_AUTH_USER and PHP_AUTH_PWD available. The script in folder B uses the same login information. In fact, the script in B generated the htpasswd information for A from its database. I am thinking that passing those variables is the easiest way of passing the login values.

2. Are your passwords encrypted? Since it is the standard apache authentication, I would assume that it is the standard apache encryption as well. I have not researched it but is the encryption reverseable, allowing you to prefill the form?

Ah, I had not thunk of that. That may be why my current method is causing an error.

Here is what I am doing now ...

<form name="JVM2loginForm" action="http://MyDomain.com/jvm/auth/login.html?cgi_ret=%2Fjvm&realm=Jin$do_login=submit&login=<? $_SERVER['PHP_AUTH_USER'] ?>&passwd=<? $_SERVER['PHP_AUTH_PWD'] ?>&cgi_ret=/jvm&realm=Jin" method="post">
<p><input type="submit" name="Submit" value="Execute" /></p>
</form>

<script type="text/javascript" language="JavaScript"><!-- window.onload=function( )
{
    document.JVM2loginForm.submit();
}
//--></script>

I don't know if what I am saying is making sense, but there are a lot of holes and security issues with doing this.

Here is more on the scenario ...

I have a third party script that I use to sell memberships to a protected folder. The script then generates the htpasswd file that restricts access to the members. The script also creates user accounts which allow my members to become affiliates. These affiliate accounts are managed by the third party script and are accessed using the same username and password as it assigns for the protected folder.

I want my members to be able to enter the affiliate management function part of the third party script with one click from the protected folder without having to re-enter their login information, since it is the same and they are coming directly from the protected folder on the same server.

Since you have mentioned the encryption factor of the PHP_AUTH_PWD, I am thinking I need to research that part a bit.

Thanks, and if you have any ideas, please let me know.

Kirk

I think that is going to be your biggest hurdle is the password. Since this is normally encrypted you will need to store the plain text version in your database and then query the database when you want to prefill the form.

I think that is going to be your biggest hurdle is the password. Since this is normally encrypted you will need to store the plain text version in your database and then query the database when you want to prefill the form.

I just checked a script another guy had developed for me and he is using the password directly in an echo statement. When I look at the data where it is inserted, it is in text, so apparently when it is retrieved, Apache decrypts it in PHP_AUTH_PWD.

I tried to use his stuff, but in that usage it is on another of my domains plus we had access to the code of the receiving page.

Thanks,
Kirk