Problem
I have a website that uses Basic Authentication and has multiple different logins. I'd like a way to tell, using javascript, the username of the person currently logged in.
I checked the cookies and the basic Authentication credentials are not stored there.
Stack
I'm using Apache configured with a .htaccess and .htpasswd file so using the backend to tell the frontend which user is logged in is not an option.
Goal
The problem I'm trying to solve is really simple, I want my website to display the username of the person currently logged in.
Not without a tiny bit of PHP. Javascript executes on the client and as you have already discovered, the username is not sent from the server so you will need something at the server end to send that userid.
Here is how:
As your page is generated at the server, it uses a small piece of PHP to add the username into your JavaScript and that's how JavaScript has it at the client to do with it what it needs.
Note, the userid wont change until the page is requested again by a different user, so it's not something that needs to be dynamic at the client side mid session.
PHP generates the page at server end when user logs in it includes it in the JavaScript code on the page. Where you want that name in your JavaScript you put it there using <?php echo $_SERVER['REMOTE_USER']; ?>. File extension will need to be .php for your file on the server that has your html and JavaScript code.
Related
I have a relatively large app where there are a lot of user profile pages. I want to make it so that if you share one of the user's profile page it will preview their name and picture on social medias like FB and Twitter (think sharing a Twitch streamer's page on Twitter). I used create-react-app to start the project so I don't have server side rendering or any middleware for pre-rendering tools. Is there another way I can accomplish this?
There two ways you can get this to work
Is the server your files via express server and check for who has the made the request by checking user-agent header from request and if its a bot instead of sending them the usual response you can fetch the required user profile data and use that data to populate the open-graph metatags and return them the HTML with those metatags.
Second way would be to use a network interceptor from the CDN you're using to identify the who is requesting the page (either bot or a person) if its a bot, make a request to your backend to fetch related data and send them the HTML with populated metatags.
Explained approach
Every time a request comes into our server, it comes with a header value user-agent which tells the server who is requesting the resources (human or a bot from Facebook trying to do link preview). Just by comparing a list of known user-agent (so it won't work on all but will work all know platforms and 90% of others.)
Let's say we have something.com where we want the link preview and let's say a request comes for something.com/john. What we will do is check for request that is coming to the server and will check for user-agent property, if its a human it will be redirected to our normal site but if its a bot (so it just wants an HTML for link preview) what we are going to do is since it's our server we can grab the data of akkshay and set the proper metatags inside our HTML and send it back as a response.
So what happens here is whenever a human tries to go for something.com/john he will be redirected to our landing page as he is more concerned about what he sees on his browse but when a bot comes in we will send it HTML response with proper metatags as its the link previews which is the concern for the bot.
This thing can be done on our express server with something like this. But this can also be done infrastructure level.
When you protect an area of your document root using either the server configuration or .htaccess, the server prompts for a username and password when someone requests those files from a browser. If the password matches the one from the authentication provider for that user, the documentation at http://httpd.apache.org/docs/2.2/howto/auth.html says that apache will set environment variables for that user. In my case I'm building a php app, and using phpinfo() I gather that the environment variables set are are REDIRECT_AUTHENTICATE_SAMACCOUNTNAME, AUTHENTICATE_SAMACCOUNTNAME (Using active directory as authentication provider), and REMOTE_USER. I believe this is what prevents the user from being prompted again and again on each subsequent request.
What I don't understand is how apache matches requests from a user with the environment variables set for that user, and also when and how it knows how to clear those variables. I doesn't appear to use cookies, because I cleared all the cookies for the domain in question, and still it doesn't ask me to reauthenticate unless I actually close the browser.
Ultimately I'm going to be working with php to get the userid and to maintain state, but since php is getting the information from the apache information, I'd like to know about that context, and I don't seem to be able to find these details. Thanks in advance.
Look at the http headers your browser is sending. After you have supplied a username and password, your browser will continue sending those details to that site until your browser session ends, or longer if you tell your browser to remember the credentials.
I want to use an application that checks for broken links. I got to know that, Xenu is one such software. I do not have access to internal aspx/http files on a drive. The Problem I am facing is the Website requires the user to be authenticated. After login I need to crawl the site to determine which links are broken.
As an example, I kick off with mail.google.com. We end up typing the Username and password after which we are served different URLs. If I give the Xenu (or similar programs) the link such as mail.google.com it will not be able to fecth URLs inside the mail.google.com which will be of type - /mail/u/0/?shva=1#inbox/ etc. There lies the problem.
With minimal or least scripting language how can I provide Xenu (or other similar app) capability to Login by providing external URL (mail.google.com) in this example in order to do whatever xenu has to do.
Thanks
Balaji S
Xenu can be used with an authenticated user as long as the cookies are persistent. You will need to enable cookies in Xenu and login once yourself using IE.
From their FAQ:
By default, cookies are disabled, and Xenu rejects all cookies. If you
need cookies because
you have used Internet Explorer to authenticate yourself before
starting a run
to prevent the server from delivering URLs with a
session ID
then you can enable the cookies in the advanced options
dialog. (This has been available since Version 1.2g)
Warning: You
should not use this option if you have links that delete data, e.g. a
database or a shop - you are risking data loss!!!
You can enable cookies in the Options menu. Click Preferences and switch to the Advanced tab.
For single page applications (like gmail) you will also need to configure Xenu to parse Javascript
This is done by modifying the ini file (traditionally at C:\Program Files (x86)\Xenu135\Xenu.ini) and adding a line of code under [Options]
Javascript=[Jj]ava[Ss]cript: *[_a-zA-Z0-9]+ *\( *['"]((/|ftp://|https?://)[^'"]+)['"]
There are several variations provided in their FAQ, but I didn't get them to work perfectly.
this is my first post,
I'm working on a project that required me to buy another domain. But i want it to use the same authentication system as my current domain and and also login the user into both sites.
I already found a great post whate it explains what needs to happen here: See the first comment
But I want to make it possible for the user to login on domain1.com (by entering credentials) and i want the credentials to be taken from domain1.com to maindomain.com and authenticate it.
Now, i know its not safe to send the users info unprotected, but i am not sure exactly how to do it any other way.
Do you have any suggestions to how i may send the login info or authenticate the users.
NOTE:
Both sites are on the Same server and one is in a subdirectory of the other (in the file tree) but they have two separate domains so i cant just tell it to POST the info to /login, instead i would have to send it to which would not work with POST.
Any and all help is appreciated!
Thanks in advance!
When the user logs in on server1, you could include something like this in the HTML:
<img src="http://server2/login/?hash=...">
(put a 1*1 transparent gif there or so)
The server should reply with a header that sets the session id.
If you are using cookie based sessions, the easiest way is to set additional copy of session cookie using iframe after successful login.
My project use htaccess files to restrict access to the server resources. The access is granted with an HTTP authentication.
I want to leave HTTP authentication and use a php-session-like login authentication to check access.
What I want to do could be simply done in a script like:
<?php
session_start()
if ( !isset($_SESSION['user']) ) {
header('location : /login.php');
exit;
}
//...also we could use url rewriting to redirect all urls pointing to static resource through
// a script that will deliver its content or redirect to the login form depending on
// identification status
Using php for dynamic pages is not a problem, but how to I grand access to Static resource using a session id passed with cookies in apache ?
I've seen questions related to cookie based redirection in apache, but none of them treat about identifying a user based on a sessionId passed by cookie.
For HTML content, keep your "static" content in PHP scripts whose only "dynamic" feature is that they contain a common header included for checking login/session.
For images, css, javascript, documents, anything else, this more extensive discussion will be of help.