Link to home
Start Free TrialLog in
Avatar of Randall-B
Randall-B

asked on

Send Basic Authentication Info to a UNIX-hosted Page via an ASP Script

  Built a fairly complex web database application in PHP & MySQL.  It works great on my UNIX server.
   Turns out I've decided I should serve the application on the corporate intrAnet server, so it can be internal-only without the inconvenience of users having to log in to the private web pages.  
   But the intranet server is IIS with ASP (and they don't plan to install PHP).  So I'm looking for a way to avoid re-writing the whole application in ASP, with which I'm not familiar.  
   I'm looking for a way to keep the data-intensive pages on the UNIX server with PHP/MySQL, and just make a couple of "doorway" pages in ASP, which would get users into the UNIX-served pages.  
    Easy enough, but this needs to be transparent. Instead of getted prompted for a UNIX Basic Athentication login when moving from an IIS/ASP page to a UNIX/PHP page, I want to make the few ASP scripts send the Basic Authentication info to the UNIX server.  That way, users behind the corporate intrAnet would not have the inconvenience of logging in to the basic authentication popup whenever they open one of the UNIX-hosted pages.
     Sending basic authentication is possible with some PHP functions, but I need to do this with ASP.
     What function or commands can I embed into the ASP form or script so that they will send basic authentication user/password info to the protected pages on the UNIX site?  So the ASP users will not have to know or input a user/password when accessing one of the unix pages?
Avatar of _Stilgar_
_Stilgar_
Flag of Israel image

I'm not sure how exactly this is done. If it is using an HTTP request, check out XMLHTTP:

http://www.asp101.com/samples/viewasp.asp?file=http.asp

Stilgar.
Avatar of Randall-B
Randall-B

ASKER

   That is a very useful. The ASP script grabs the HTML source of a specified URL even if the target page is protected by httpd basic authentication (because it sends the User & Password as GET data).  I tested it and it works great for grabbind and displaying html from a different web page.

    But what I need is to actually log the user in to the unix-hosted site, without the user seeing an http basic authentication popup.  
    In other words, the ASP script needs to redirect the user to the unix-hosted page and supply the User & Password so the unix-hosted page opens in the browser as if it was not password protected (because the ASP script is sending the User & Password transparently).

  Here is what I *don't* want:
        1. User opens ASP page
        2. User clicks on link to a unix-hosted page
        3. User sees popup for http authentication
        4. User manually types in User & Password
 
Here is what I actually need:
        1. User opens ASP page
        2. ASP page automatically redirects user to a unix-hosted page
        3. Transparently, ASP page sends User & Password as credentials for http basic authentication
        4. Unix-hosted page opens without user ever seeing authentication popup
       This way, the user does not know what the username & password are; this is more secure because they won't be able to tell other people who might try to use that knowledge to log in from outside the corporate intranet.  
     Because the ASP page is securely available only to trusted users behind the corporate firewall, only those trusted users would be able to access the ASP page, and it should open the unix-hosted page transparently.  How can this be done?
ASKER CERTIFIED SOLUTION
Avatar of _Stilgar_
_Stilgar_
Flag of Israel image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I hope you or other experts can give more details about the passing the credentials with the .Send function. Thanks.
Before that, try the URL formatting I suggested, usign the @ sign. I works with FTP, it might as well work with private HTTP pages.

Stilgar.
I like the simplicity of that URL method, but wouldn't users be able to see the username & password by looking at the source code of the ASP page? (I want to keep that information private.)
if you're re-directing their browser, then yes. But you asked to make this whole process behined the scenes, using the an http request - this way you're retrieving information, and no one can know where from.

Stilgar.
OK, I guess I did not explain it right.  What I actually want to do is to redirect them to a protected page. But instead of making them type in the username and password for that protected (unix-hosted) page, I just want their original (ASP) page to send the username and password to the target page.
    When I said "transparent," I meant the user will not notice that the unix-hosted page is password-protected, because the IIS ASP script would have sent the credentials to the unix php page; the user would not have to type in the user/password.
I see. Well, the URL approach would expose those details. Since I don't know any other way, I'd create a proxy script, that will grab all HTML data from the unix server using XMLHTTP, and post it back to the user with response.write. That is my solution - it will be totally secured, but a bit lame, I admit.

Stilgar.
I guess that would work, if I adjust a few things about my php pages that would be grabbed and posted back to the ASP user.  I think I could handle that part based on the script you privded in your first comment.  
     But here's another thought:  if I restrict the IP blocks and addresses that can access the unix pages, I could prevent outside people from accessing the unix php pages -- even if a corporate employee were to tell them the user/pass.  I would set the IP restriction to the corporate IP.  Then it might be OK to use the URL approach in a redirect.  

    Assuming the unix-hosted page is http://216.92.61.99/private (where the Username is "user" and the Password is "password"), would the ASP or HTML page just contain something like:

<html>
<head>
<meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
</head>

<body>
</body>
</html>
   
When I tested that, it did not work. Also, I noticed the username and password were displayed in the browser address bar. (I might not mind having them in the ASP page source code, but I don't want to display them in the address bar.)
This ASP is not working either:

<html>
<body>
<% response.redirect "http://user:password@216.92.61.99/private/index.htm" %>
</body>
</html>
Hmm . . . even this did not work:

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>
The final comment at the bottom of http:Q_21525204.html  sounds like it can do what I need, but I don't understand how or where to implement it.
I discovered the  http://username:password@myexample.com   method works fine with Mozilla Firefox.
    The reason it was not working in Internet Explorer is because Microsoft disabled that behavior in a security update (KB 832894). See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
     Now Microsoft recommends using one of the two methods below:

    1) Use the InternetSetOption function and include the following option flags:
     • INTERNET_OPTION_USERNAME
     • INTERNET_OPTION_PASSWORD
or
 2) Use the IAuthenticate Interface.

I would like to use one of those but do not know how.  


For now, I tweaked the registry to disable the new behavior (so it will stop blocking the old username:password@ method).  After tweaking the registry, the following 2 methods work:

1)  HTM

<html>
 <head>
  <meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
  </head>
 <body>
</body>
</html>


2) ASP

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>

But those methods would require having my users tweak their registry.  

Can you give more information about the .Send function that you mentioned earlier?  Or do you know how to use the InternetSetOption function?  Thanks.