Solved

Send Basic Authentication Info to a UNIX-hosted Page via an ASP Script

Posted on 2007-03-30
14
300 Views
Last Modified: 2012-05-05
  Built a fairly complex web database application in PHP & MySQL.  It works great on my UNIX server.
   Turns out I've decided I should serve the application on the corporate intrAnet server, so it can be internal-only without the inconvenience of users having to log in to the private web pages.  
   But the intranet server is IIS with ASP (and they don't plan to install PHP).  So I'm looking for a way to avoid re-writing the whole application in ASP, with which I'm not familiar.  
   I'm looking for a way to keep the data-intensive pages on the UNIX server with PHP/MySQL, and just make a couple of "doorway" pages in ASP, which would get users into the UNIX-served pages.  
    Easy enough, but this needs to be transparent. Instead of getted prompted for a UNIX Basic Athentication login when moving from an IIS/ASP page to a UNIX/PHP page, I want to make the few ASP scripts send the Basic Authentication info to the UNIX server.  That way, users behind the corporate intrAnet would not have the inconvenience of logging in to the basic authentication popup whenever they open one of the UNIX-hosted pages.
     Sending basic authentication is possible with some PHP functions, but I need to do this with ASP.
     What function or commands can I embed into the ASP form or script so that they will send basic authentication user/password info to the protected pages on the UNIX site?  So the ASP users will not have to know or input a user/password when accessing one of the unix pages?
0
Comment
Question by:Randall-B
  • 9
  • 5
14 Comments
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18829994
I'm not sure how exactly this is done. If it is using an HTTP request, check out XMLHTTP:

http://www.asp101.com/samples/viewasp.asp?file=http.asp

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831133
   That is a very useful. The ASP script grabs the HTML source of a specified URL even if the target page is protected by httpd basic authentication (because it sends the User & Password as GET data).  I tested it and it works great for grabbind and displaying html from a different web page.

    But what I need is to actually log the user in to the unix-hosted site, without the user seeing an http basic authentication popup.  
    In other words, the ASP script needs to redirect the user to the unix-hosted page and supply the User & Password so the unix-hosted page opens in the browser as if it was not password protected (because the ASP script is sending the User & Password transparently).

  Here is what I *don't* want:
        1. User opens ASP page
        2. User clicks on link to a unix-hosted page
        3. User sees popup for http authentication
        4. User manually types in User & Password
 
Here is what I actually need:
        1. User opens ASP page
        2. ASP page automatically redirects user to a unix-hosted page
        3. Transparently, ASP page sends User & Password as credentials for http basic authentication
        4. Unix-hosted page opens without user ever seeing authentication popup
       This way, the user does not know what the username & password are; this is more secure because they won't be able to tell other people who might try to use that knowledge to log in from outside the corporate intranet.  
     Because the ASP page is securely available only to trusted users behind the corporate firewall, only those trusted users would be able to access the ASP page, and it should open the unix-hosted page transparently.  How can this be done?
0
 
LVL 14

Accepted Solution

by:
_Stilgar_ earned 250 total points
ID: 18831148
You should somehow pass the credentials when using the .Send function. Either by using POST and using some variables, or by formatting the URL to look something like http://username:pwd@host.com/page.asp. I'm not sure exactly how it works, this authentication process, but those are worth trying.

Stilgar.
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 

Author Comment

by:Randall-B
ID: 18831159
I hope you or other experts can give more details about the passing the credentials with the .Send function. Thanks.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831163
Before that, try the URL formatting I suggested, usign the @ sign. I works with FTP, it might as well work with private HTTP pages.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831164
I like the simplicity of that URL method, but wouldn't users be able to see the username & password by looking at the source code of the ASP page? (I want to keep that information private.)
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831167
if you're re-directing their browser, then yes. But you asked to make this whole process behined the scenes, using the an http request - this way you're retrieving information, and no one can know where from.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831172
OK, I guess I did not explain it right.  What I actually want to do is to redirect them to a protected page. But instead of making them type in the username and password for that protected (unix-hosted) page, I just want their original (ASP) page to send the username and password to the target page.
    When I said "transparent," I meant the user will not notice that the unix-hosted page is password-protected, because the IIS ASP script would have sent the credentials to the unix php page; the user would not have to type in the user/password.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 18831175
I see. Well, the URL approach would expose those details. Since I don't know any other way, I'd create a proxy script, that will grab all HTML data from the unix server using XMLHTTP, and post it back to the user with response.write. That is my solution - it will be totally secured, but a bit lame, I admit.

Stilgar.
0
 

Author Comment

by:Randall-B
ID: 18831198
I guess that would work, if I adjust a few things about my php pages that would be grabbed and posted back to the ASP user.  I think I could handle that part based on the script you privded in your first comment.  
     But here's another thought:  if I restrict the IP blocks and addresses that can access the unix pages, I could prevent outside people from accessing the unix php pages -- even if a corporate employee were to tell them the user/pass.  I would set the IP restriction to the corporate IP.  Then it might be OK to use the URL approach in a redirect.  

    Assuming the unix-hosted page is http://216.92.61.99/private (where the Username is "user" and the Password is "password"), would the ASP or HTML page just contain something like:

<html>
<head>
<meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
</head>

<body>
</body>
</html>
   
When I tested that, it did not work. Also, I noticed the username and password were displayed in the browser address bar. (I might not mind having them in the ASP page source code, but I don't want to display them in the address bar.)
0
 

Author Comment

by:Randall-B
ID: 18831221
This ASP is not working either:

<html>
<body>
<% response.redirect "http://user:password@216.92.61.99/private/index.htm" %>
</body>
</html>
0
 

Author Comment

by:Randall-B
ID: 18831255
Hmm . . . even this did not work:

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>
0
 

Author Comment

by:Randall-B
ID: 18831294
The final comment at the bottom of http:Q_21525204.html  sounds like it can do what I need, but I don't understand how or where to implement it.
0
 

Author Comment

by:Randall-B
ID: 18832030
I discovered the  http://username:password@myexample.com   method works fine with Mozilla Firefox.
    The reason it was not working in Internet Explorer is because Microsoft disabled that behavior in a security update (KB 832894). See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
     Now Microsoft recommends using one of the two methods below:

    1) Use the InternetSetOption function and include the following option flags:
     • INTERNET_OPTION_USERNAME
     • INTERNET_OPTION_PASSWORD
or
 2) Use the IAuthenticate Interface.

I would like to use one of those but do not know how.  


For now, I tweaked the registry to disable the new behavior (so it will stop blocking the old username:password@ method).  After tweaking the registry, the following 2 methods work:

1)  HTM

<html>
 <head>
  <meta http-equiv="refresh" content="0; URL=http://user:password@216.92.61.99/private/index.htm">
  </head>
 <body>
</body>
</html>


2) ASP

<%
Response.Write "<html><head><title>Redirect</title>"
Response.Write "<meta http-equiv=" & Chr(34) & "refresh" & Chr(34) & " content=" & Chr(34) & "0;url=http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">"
Response.Write "</head>"
Response.Write "<body>Redirecting...<a href=" & Chr(34) & "http://user:password@216.92.61.99/private/index.htm" & Chr(34) & ">Click if not automatically redirected.</a></body></html>"
%>

But those methods would require having my users tweak their registry.  

Can you give more information about the .Send function that you mentioned earlier?  Or do you know how to use the InternetSetOption function?  Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question