Use Apache login with Cold Fusion

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi all,

I'm using .htaccess to password protect a directory containing CFBB,
but instead of having users log-in both through Apache and to CFBB, is
there anyway to get CFBB or Cold Fusion in general to view what Apache
accepts as a login username and password?  I'd like to eliminate dual
login if possible.

Thanks --


Re: Use Apache login with Cold Fusion

Alex wrote:
Quoted text here. Click to load it

The problem has to do with the way that .htaccess on Apache works.
This also applies to Directory Security on IIS.  As with most http
challenge/password schemes, once you authenticate with the server, the
server gives you a token - basically just a long string of characters -
and on each subsequent hit your browser sends that token back to the
server.  The server keeps a record of all the token's it has issued in
memory, so it is able to verify that you are an authenticated user.

When you do all of this in coldfusion, you do it with form fields,
databases, and cookies.  The initial username/password is sent via form
fields that coldfusion can read, you make up a long string of
characters (the token) and write that to a database that coldfusion can
read, and you give the token to the browser in the form of a cookie
that coldfusion can read.  Now on subsequent hits, you use coldfusion
to read the cookie and coldfusion to compare it to the database.
Because you have control of that whole process, you can token, which is
just a long string of seemingly random characters, into something like
a username, and from there you can do things like user customizations
(for example, you might display a message, "welcome back to the website
Joe Blow" or you might look up the user's shopping cart, etc).

Unfortunately, when you use .htaccess or IIS's directory security, all
of that communication occurs between browser and webserver - before the
webserver hands the connection off to coldfusion.  With .htaccess, the
browser passes the token back in the header, in a line labeled,
Authorization.  A typical GET request after authenticating with
.htaccess might look like this:

GET /index.cfm HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: etc.
Authorization: Basic Y3N|Y29yZDpjc2Vjb3Jk
etc. etc.

In that request, "Y3N|Y29yZDpjc2Vjb3Jk" is the token.  As far as I
know, you don't have access to that in any scripting language, not in
.net, not in php, and not in coldfusion.  Even if you did, in order to
make any use of it, you need to translate "Y3N|Y29yZDpjc2Vjb3Jk" into a
username or userid of some kind.  If you handle all the authentication
yourself, then you do this by recording "Y3N|Y29yZDpjc2Vjb3Jk" along
with the username in a database when the user first logs in, and
looking it up in that database on subsequent hits.  When the server
handles authentication, there's no way to do this.

Re: Use Apache login with Cold Fusion

Well, I guess I really should have researched this a little before I
responded.  It looks like coldfusion puts all that header info into the
cgi scope.  There is a variable named cgi.Auth_User.  I think that's
what you're looking for.

Just ignore my previous reply

Re: Use Apache login with Cold Fusion

Writing in  
 From the safety of the cafeteria

Quoted text here. Click to load it

ahem - I think you'll find IIS does a similar job

Quoted text here. Click to load it

oh well - it happens to us all.

William Tasso

** Business as usual

Re: Use Apache login with Cold Fusion

Alex wrote:

Quoted text here. Click to load it

Not sure about ColdFusion, but with CGI, you can query the REMOTE_USER
environment variable to find out the *username* of the visitor. Ditto in
PHP, via the $_SERVER superglobal.

CGI doesn't let you access the *password* though. However, in most cases
you don't care what the password is : you care that the user authenticated
correctly, and you might care what the user name is. PHP does give you
access to the password though, in $_SERVER['PHP_AUTH_PW'], but only if
"safe mode" is switched off.

Toby A Inkster BSc (Hons) ARCS
Contact Me  ~

Site Timeline