?
Solved

Send Basic Authentication Info to a UNIX-hosted Page via an ASP Script

Posted on 2007-03-30
14
Medium Priority
?
309 Views
Last Modified: 2012-05-05
  Built a fairly complex web database application in PHP & MySQL.  It works great on my UNIX server.
   Turns out I've decided I should serve the application on the corporate intrAnet server, so it can be internal-only without the inconvenience of users having to log in to the private web pages.  
   But the intranet server is IIS with ASP (and they don't plan to install PHP).  So I'm looking for a way to avoid re-writing the whole application in ASP, with which I'm not familiar.  
   I'm looking for a way to keep the data-intensive pages on the UNIX server with PHP/MySQL, and just make a couple of "doorway" pages in ASP, which would get users into the UNIX-served pages.  
    Easy enough, but this needs to be transparent. Instead of getted prompted for a UNIX Basic Athentication login when moving from an IIS/ASP page to a UNIX/PHP page, I want to make the few ASP scripts send the Basic Authentication info to the UNIX server.  That way, users behind the corporate intrAnet would not have the inconvenience of logging in to the basic authentication popup whenever they open one of the UNIX-hosted pages.
     Sending basic authentication is possible with some PHP functions, but I need to do this with ASP.
     What function or commands can I embed into the ASP form or script so that they will send basic authentication user/password info to the protected pages on the UNIX site?  So the ASP users will not have to know or input a user/password when accessing one of the unix pages?
0
Comment
Question by:Randall-B
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
14 Comments
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18829994
I'm not sure how exactly this is done. If it is using an HTTP request, check out XMLHTTP:

http://www.asp101.com/samples/viewasp.asp?file=http.asp

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831133
   That is a very useful. The ASP script grabs the HTML source of a specified URL even if the target page is protected by httpd basic authentication (because it sends the User & Password as GET data).  I tested it and it works great for grabbind and displaying html from a different web page.

    But what I need is to actually log the user in to the unix-hosted site, without the user seeing an http basic authentication popup.  
    In other words, the ASP script needs to redirect the user to the unix-hosted page and supply the User & Password so the unix-hosted page opens in the browser as if it was not password protected (because the ASP script is sending the User & Password transparently).

  Here is what I *don't* want:
        1. User opens ASP page
        2. User clicks on link to a unix-hosted page
        3. User sees popup for http authentication
        4. User manually types in User & Password
 
Here is what I actually need:
        1. User opens ASP page
        2. ASP page automatically redirects user to a unix-hosted page
        3. Transparently, ASP page sends User & Password as credentials for http basic authentication
        4. Unix-hosted page opens without user ever seeing authentication popup
       This way, the user does not know what the username & password are; this is more secure because they won't be able to tell other people who might try to use that knowledge to log in from outside the corporate intranet.  
     Because the ASP page is securely available only to trusted users behind the corporate firewall, only those trusted users would be able to access the ASP page, and it should open the unix-hosted page transparently.  How can this be done?
0
 
LVL 14

Accepted Solution

by:
_Stilgar_ earned 750 total points
ID: 18831148
You should somehow pass the credentials when using the .Send function. Either by using POST and using some variables, or by formatting the URL to look something like http://username:pwd@host.com/page.asp. I'm not sure exactly how it works, this authentication process, but those are worth trying.

Stilgar.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Randall-B
ID: 18831159
I hope you or other experts can give more details about the passing the credentials with the .Send function. Thanks.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831163
Before that, try the URL formatting I suggested, usign the @ sign. I works with FTP, it might as well work with private HTTP pages.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831164
I like the simplicity of that URL method, but wouldn't users be able to see the username & password by looking at the source code of the ASP page? (I want to keep that information private.)
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831167
if you're re-directing their browser, then yes. But you asked to make this whole process behined the scenes, using the an http request - this way you're retrieving information, and no one can know where from.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831172
OK, I guess I did not explain it right.  What I actually want to do is to redirect them to a protected page. But instead of making them type in the username and password for that protected (unix-hosted) page, I just want their original (ASP) page to send the username and password to the target page.
    When I said "transparent," I meant the user will not notice that the unix-hosted page is password-protected, because the IIS ASP script would have sent the credentials to the unix php page; the user would not have to type in the user/password.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831175
I see. Well, the URL approach would expose those details. Since I don't know any other way, I'd create a proxy script, that will grab all HTML data from the unix server using XMLHTTP, and post it back to the user with response.write. That is my solution - it will be totally secured, but a bit lame, I admit.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831198
I guess that would work, if I adjust a few things about my php pages that would be grabbed and posted back to the ASP user.  I think I could handle that part based on the script you privded in your first comment.  
     But here's another thought:  if I restrict the IP blocks and addresses that can access the unix pages, I could prevent outside people from accessing the unix php pages -- even if a corporate employee were to tell them the user/pass.  I would set the IP restriction to the corporate IP.  Then it might be OK to use the URL approach in a redirect.  

    Assuming the unix-hosted page is http://216.92.61.99/private (where the Username is "user" and the Password is "password"), would the ASP or HTML page just contain something like:

<html>
<head>
<meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
</head>

<body>
</body>
</html>
   
When I tested that, it did not work. Also, I noticed the username and password were displayed in the browser address bar. (I might not mind having them in the ASP page source code, but I don't want to display them in the address bar.)
0
 

Author Comment

by:Randall-B
ID: 18831221
This ASP is not working either:

<html>
<body>
<% response.redirect "http://user:password@216.92.61.99/private/index.htm" %>
</body>
</html>
0
 

Author Comment

by:Randall-B
ID: 18831255
Hmm . . . even this did not work:

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>
0
 

Author Comment

by:Randall-B
ID: 18831294
The final comment at the bottom of http:Q_21525204.html  sounds like it can do what I need, but I don't understand how or where to implement it.
0
 

Author Comment

by:Randall-B
ID: 18832030
I discovered the  http://username:password@myexample.com   method works fine with Mozilla Firefox.
    The reason it was not working in Internet Explorer is because Microsoft disabled that behavior in a security update (KB 832894). See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
     Now Microsoft recommends using one of the two methods below:

    1) Use the InternetSetOption function and include the following option flags:
     • INTERNET_OPTION_USERNAME
     • INTERNET_OPTION_PASSWORD
or
 2) Use the IAuthenticate Interface.

I would like to use one of those but do not know how.  


For now, I tweaked the registry to disable the new behavior (so it will stop blocking the old username:password@ method).  After tweaking the registry, the following 2 methods work:

1)  HTM

<html>
 <head>
  <meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
  </head>
 <body>
</body>
</html>


2) ASP

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>

But those methods would require having my users tweak their registry.  

Can you give more information about the .Send function that you mentioned earlier?  Or do you know how to use the InternetSetOption function?  Thanks.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question