sctccomm
asked on
Unable to get Remote User environment variable
Hello,
I have having trouble getting the authenticated user. I have tried getting the REMOTE_USER environment variable (using 'getenv("REMOTE_USER")' ) but retrieved nothing.
I have even printed out the 'export' result when the page is loading, and it produces the following:
export AUTH_ACL='' export AUTH_TYPE='Basic' export DOCUMENT_ROOT='/var/www/tc
I am wondering if anyone else is having this issue?
Thank you.
I have having trouble getting the authenticated user. I have tried getting the REMOTE_USER environment variable (using 'getenv("REMOTE_USER")' ) but retrieved nothing.
I have even printed out the 'export' result when the page is loading, and it produces the following:
export AUTH_ACL='' export AUTH_TYPE='Basic' export DOCUMENT_ROOT='/var/www/tc
I am wondering if anyone else is having this issue?
Thank you.
Dave Baldwin
This page http://appwebserver.org/products/appweb/doc.2/api/gen/appweb/esp_8js.html#e36ca11f67ad2c2373e908a34c74b8a5 says that it is rarely supplied. Using Firefox (as you are), it is blank on IIS and Apache doesn't list it at all.
I also tried IE8, Chrome, Safari, and Opera and it's blank on IIS for all of them.
ASKER
Then my question is, how can user permission checking be done (based on username)?
You have to create your own login system. Every web site that I know of has to do that if they need to control access. Consider that your login here on EE is different than your login elsewhere.
Also, "REMOTE_USER" like anything else in the HTTP headers can be spoofed. If you need access control, you would not be able to count on "REMOTE_USER" being legitimate.
ASKER
Currently, we are using basic and digest authentication. We have a space requirement which we do not have enough memory to maintain session information. Thus using form-based authentication is not within the scope of this project.
What do you mean by "we are using basic and digest authentication."? Like this? http://appwebserver.org/products/appweb/doc/guide/appweb/users/authorization.html
I logged in with Firefox to a page that I have using "Basic auth" and looked at the headers. There isn't any username list in the request headers in any part of that transaction. If you want a 'username', you may have to set a cookie after the user is logged in.
I logged in with Firefox to a page that I have using "Basic auth" and looked at the headers. There isn't any username list in the request headers in any part of that transaction. If you want a 'username', you may have to set a cookie after the user is logged in.
ASKER
I believe the username and password can be seen in "credentials" in the HTTP header
There is an "Authorization:" field in the request header http://en.wikipedia.org/wiki/Digest_access_authentication. It is not listed in the server or request variables on any web server that I can find. IIS, Apache, and AppWeb http://appwebserver.org/products/appweb/doc.2/api/gen/appweb/esp_8js.html#e36ca11f67ad2c2373e908a34c74b8a5 do not make it available to the pages/users on the server. The only way I can see it is to use Fiddler2 to look at my network traffic.
ASKER
If I were to take the cookie route, how would I be able to get the username?
Good question. I forgot that they don't login to your page but just to the webserver with Basic or Digest Auth. I don't know at this point.
ASKER
I find it a little strange that they provide Authentication, but don't make the login information readily available for further processing by users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, thank you for you help.
ASKER
No actual solution presented.