Solved

Send Basic Authentication Info to a UNIX-hosted Page via an ASP Script

Posted on 2007-03-30
14
286 Views
Last Modified: 2012-05-05
  Built a fairly complex web database application in PHP & MySQL.  It works great on my UNIX server.
   Turns out I've decided I should serve the application on the corporate intrAnet server, so it can be internal-only without the inconvenience of users having to log in to the private web pages.  
   But the intranet server is IIS with ASP (and they don't plan to install PHP).  So I'm looking for a way to avoid re-writing the whole application in ASP, with which I'm not familiar.  
   I'm looking for a way to keep the data-intensive pages on the UNIX server with PHP/MySQL, and just make a couple of "doorway" pages in ASP, which would get users into the UNIX-served pages.  
    Easy enough, but this needs to be transparent. Instead of getted prompted for a UNIX Basic Athentication login when moving from an IIS/ASP page to a UNIX/PHP page, I want to make the few ASP scripts send the Basic Authentication info to the UNIX server.  That way, users behind the corporate intrAnet would not have the inconvenience of logging in to the basic authentication popup whenever they open one of the UNIX-hosted pages.
     Sending basic authentication is possible with some PHP functions, but I need to do this with ASP.
     What function or commands can I embed into the ASP form or script so that they will send basic authentication user/password info to the protected pages on the UNIX site?  So the ASP users will not have to know or input a user/password when accessing one of the unix pages?
0
Comment
Question by:Randall-B
  • 9
  • 5
14 Comments
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18829994
I'm not sure how exactly this is done. If it is using an HTTP request, check out XMLHTTP:

http://www.asp101.com/samples/viewasp.asp?file=http.asp

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831133
   That is a very useful. The ASP script grabs the HTML source of a specified URL even if the target page is protected by httpd basic authentication (because it sends the User & Password as GET data).  I tested it and it works great for grabbind and displaying html from a different web page.

    But what I need is to actually log the user in to the unix-hosted site, without the user seeing an http basic authentication popup.  
    In other words, the ASP script needs to redirect the user to the unix-hosted page and supply the User & Password so the unix-hosted page opens in the browser as if it was not password protected (because the ASP script is sending the User & Password transparently).

  Here is what I *don't* want:
        1. User opens ASP page
        2. User clicks on link to a unix-hosted page
        3. User sees popup for http authentication
        4. User manually types in User & Password
 
Here is what I actually need:
        1. User opens ASP page
        2. ASP page automatically redirects user to a unix-hosted page
        3. Transparently, ASP page sends User & Password as credentials for http basic authentication
        4. Unix-hosted page opens without user ever seeing authentication popup
       This way, the user does not know what the username & password are; this is more secure because they won't be able to tell other people who might try to use that knowledge to log in from outside the corporate intranet.  
     Because the ASP page is securely available only to trusted users behind the corporate firewall, only those trusted users would be able to access the ASP page, and it should open the unix-hosted page transparently.  How can this be done?
0
 
LVL 14

Accepted Solution

by:
_Stilgar_ earned 250 total points
ID: 18831148
You should somehow pass the credentials when using the .Send function. Either by using POST and using some variables, or by formatting the URL to look something like http://username:pwd@host.com/page.asp. I'm not sure exactly how it works, this authentication process, but those are worth trying.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831159
I hope you or other experts can give more details about the passing the credentials with the .Send function. Thanks.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831163
Before that, try the URL formatting I suggested, usign the @ sign. I works with FTP, it might as well work with private HTTP pages.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831164
I like the simplicity of that URL method, but wouldn't users be able to see the username & password by looking at the source code of the ASP page? (I want to keep that information private.)
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831167
if you're re-directing their browser, then yes. But you asked to make this whole process behined the scenes, using the an http request - this way you're retrieving information, and no one can know where from.

Stilgar.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Randall-B
ID: 18831172
OK, I guess I did not explain it right.  What I actually want to do is to redirect them to a protected page. But instead of making them type in the username and password for that protected (unix-hosted) page, I just want their original (ASP) page to send the username and password to the target page.
    When I said "transparent," I meant the user will not notice that the unix-hosted page is password-protected, because the IIS ASP script would have sent the credentials to the unix php page; the user would not have to type in the user/password.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831175
I see. Well, the URL approach would expose those details. Since I don't know any other way, I'd create a proxy script, that will grab all HTML data from the unix server using XMLHTTP, and post it back to the user with response.write. That is my solution - it will be totally secured, but a bit lame, I admit.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831198
I guess that would work, if I adjust a few things about my php pages that would be grabbed and posted back to the ASP user.  I think I could handle that part based on the script you privded in your first comment.  
     But here's another thought:  if I restrict the IP blocks and addresses that can access the unix pages, I could prevent outside people from accessing the unix php pages -- even if a corporate employee were to tell them the user/pass.  I would set the IP restriction to the corporate IP.  Then it might be OK to use the URL approach in a redirect.  

    Assuming the unix-hosted page is http://216.92.61.99/private (where the Username is "user" and the Password is "password"), would the ASP or HTML page just contain something like:

<html>
<head>
<meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
</head>

<body>
</body>
</html>
   
When I tested that, it did not work. Also, I noticed the username and password were displayed in the browser address bar. (I might not mind having them in the ASP page source code, but I don't want to display them in the address bar.)
0
 

Author Comment

by:Randall-B
ID: 18831221
This ASP is not working either:

<html>
<body>
<% response.redirect "http://user:password@216.92.61.99/private/index.htm" %>
</body>
</html>
0
 

Author Comment

by:Randall-B
ID: 18831255
Hmm . . . even this did not work:

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>
0
 

Author Comment

by:Randall-B
ID: 18831294
The final comment at the bottom of http:Q_21525204.html  sounds like it can do what I need, but I don't understand how or where to implement it.
0
 

Author Comment

by:Randall-B
ID: 18832030
I discovered the  http://username:password@myexample.com   method works fine with Mozilla Firefox.
    The reason it was not working in Internet Explorer is because Microsoft disabled that behavior in a security update (KB 832894). See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
     Now Microsoft recommends using one of the two methods below:

    1) Use the InternetSetOption function and include the following option flags:
     • INTERNET_OPTION_USERNAME
     • INTERNET_OPTION_PASSWORD
or
 2) Use the IAuthenticate Interface.

I would like to use one of those but do not know how.  


For now, I tweaked the registry to disable the new behavior (so it will stop blocking the old username:password@ method).  After tweaking the registry, the following 2 methods work:

1)  HTM

<html>
 <head>
  <meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
  </head>
 <body>
</body>
</html>


2) ASP

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>

But those methods would require having my users tweak their registry.  

Can you give more information about the .Send function that you mentioned earlier?  Or do you know how to use the InternetSetOption function?  Thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now