#66 Pull name and password if Basic Auth exists

closed-rejected
nobody
5
2000-12-11
2000-11-28
No

Discussion

  • Andrew Skegg

    Andrew Skegg - 2000-11-28

    None

     
    Attachments
  • Lewis Bergman

    Lewis Bergman - 2000-11-30

    Maybe this should be made into a "auto login" plugin. Any opinoins about that? I hate to put this in if it means this breaks SM for IIS. Who knows, maybe someone is using it that way?

     
  • Andrew Skegg

    Andrew Skegg - 2000-12-01

    I don't have access to a IIS server to test it on, but it should be OK as the variables ($PHP_AUTH_USER and $PHP_AUTH_PW) will only exist in an Apache environment.

    I will have a look at your plugin architecture and develop an auto login plugin if it's easy enough ....

     
  • Lewis Bergman

    Lewis Bergman - 2000-12-11

    Please explain the implications of this patch. What does it require from sm to work? What exactly would be the end user experience? Auto fill in of user and pass? Please explain.

     
  • Andrew Skegg

    Andrew Skegg - 2000-12-11

    The variables $PHP_AUTH_USER and $PHP_AUTH_PW exist in the Apache environment if the user has supplied them to gain access to a restricted area, usually via a .htaccess file.
    All this little patch does is check for the existance of these variables and places their values in to login form if they exist.
    Since IIS does not keep a record of these variables (due to different underlying authentication architecture) there are no values to place in the form and nothing happens (although I have not tested this as I do not use a MS server).
    The end result? Say, the user wants to gain access to a members only area that has been already setup. The .htaccess file contains a list of users/groups and their corresponding passwords that are allowed access to this area. The user then clicks on the "Check my mail" link and are flung off to SM. If these username/password combos are in sync with their imap name/password the username and password have already been filled in for them by the patch, so all they have to do is hit the login button (I might try and make this automatic later).
    It was a quick patch to make my life a little easier .....

     
  • Lewis Bergman

    Lewis Bergman - 2000-12-11

    This patch was rejected based on these factors:
    1. Although in general this patch has little security affect on most systems, in highly unlikely circumstances, it could have unwanted security implications.
    2. This would add a level of openness that by default most would not want.
    3. Perhaps the most argueable reason to not include this is that most admins would not expect such behavior by default, and therfore would not think to close any unwanted access.

    These are picky no doubt. But, on the whole we find most people are more concerned about security than saving a couple of clicks and some text entry. This might make a very good plugin ( I believe there are two hooks on the login page) or maybe a configurable option in conf.pl if you are will ing to do the work to adapt it as such. There is a feature freeze at any rate until after 1.0 final. Perhaps you might work on the adaptions toward inclusion then?

    Thank you for the submission and we hope this doesn't preclude you from submitting further patches.

     
  • Lewis Bergman

    Lewis Bergman - 2000-12-11
    • status: open-rejected --> closed-rejected
     
  • Lewis Bergman

    Lewis Bergman - 2000-12-11

    Oh yes, I understand that there will also be an area to list patches of this sort on the site as well. Please keep watching for that and bring this up when that happens.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks