简体繁体 English

自动验证htaccess（401）用户名密码登录

[英]Auto authenticate a htaccess (401) username password login

原文 2014-01-22 17:39:37 2 2 javascript/ php/ android/ .htaccess/ authentication

I have a webpage which refreshes every 5 minutes with client details. 我有一个网页，每5分钟刷新一次客户详细信息。 I have added a username password to it through the basic and standard htaccess and a htpassword file type login system it since part of the file contains company data. 我已经通过基本和标准的htaccess和htpassword文件类型登录系统为它添加了用户名密码，因为该文件的一部分包含公司数据。

But I need this same webpage to be opened at my work PC which is a secured PC connected to a display screen to display same. 但是我需要在我的工作PC上打开这个相同的网页，这是一个连接到显示屏的安全PC以显示它。

On a power cut or a internet disconnection the PC has a startup file with a shortcut to this webpage so it appears automatically BUT stops from the 401 Authorization login form. 在断电或互联网断开连接时，PC有一个启动文件，其中包含此网页的快捷方式，因此它会自动显示，但不会从401授权登录表单中停止。 So no go until I fill the details. 所以在我填写细节之前不要去。

Is there a way I can keep a file with a php or a javascript or jquery code so it can feed the username password to that and open the webpage (even as a iframe)? 有没有办法我可以使用php或javascript或jquery代码保存文件，以便它可以提供用户名密码并打开网页（甚至作为iframe）？

No need to worry about the safety of the file - the PC is locked in a cabinet with only a small set of holes for ventilation and for the display cable coming out to the monitor and another small hole to reach the power button. 无需担心文件的安全性 - PC被锁在一个柜子里，只有一小组通风孔，显示器电缆从显示器出来，另一个小孔到达电源按钮。

If you know to do this on android let me know as well. 如果你知道在Android上这样做也让我知道。

Found the answer!! 找到答案!! See my post below! 请看下面的帖子！

2 个解决方案

UPDATE: This answer may no longer work in newer browsers. 更新：此答案可能不再适用于较新的浏览器。

Because phishing people use @ and : marks in URL to hide URLs. 因为网络钓鱼人在URL中使用@和：标记来隐藏URL。 For example in a URL like www.facebook.com:somelongtext@www.notfacebook.com user will oversee @notfacebook.com part and enter login details to a phishing webpage without noticing the latter. 例如，在www.facebook.com：somelongtext@www.notfacebook.com这样的URL中，用户将监督@notfacebook.com部分，并在不注意后者的情况下将登录详细信息输入到网络钓鱼网页。 So now either this method will not simply work or either you will see a warning saying this URL maybe a phishing site. 所以现在要么这个方法不能简单地工作，要么你会看到一个警告说这个URL可能是一个网络钓鱼站点。 So even if it's a private webpage where only you have access to it browser will try its protective mechanisms. 因此，即使它是一个私人网页，只有您可以访问它，浏览器将尝试其保护机制。

Found the answer! 找到答案了！

Can pass it from the URL itself! 可以从URL本身传递它！

http://username:password@www.yourdomain.com HTTP：//用户名：password@www.yourdomain.com

and the content of the url gets hidden after as well Also global compatible as I know! 并且网址的内容也会被隐藏起来，我也知道全局兼容！

Ditch htaccess/htpasswd 沟htaccess / htpasswd
It's OK for the most basic scenarios, but once you need to go beyond it [ie: your position right now] HTTP auth become a horrible pain in the ass. 对于最基本的场景来说这是可以的，但是一旦你需要超越它[即：你现在的位置] HTTP身份验证会成为一个可怕的痛苦。
Use forms-based authentication 使用基于表单的身份验证
It takes a little work, but this is probably one of the few things that every single PHP dev should know by heart. 它需要一些工作，但这可能是每个PHP开发人员应该知道的少数事情之一。
Whitelist your IP range, and use an access token 将您的IP范围列入白名单，并使用访问令牌
You say you can't simply whitelist the IP because it's on DHCP, and that's fine. 你说你不能简单地将IP列入白名单，因为它在DHCP上，这没关系。 Find the range that your DHCP server is allocating [eg: 1.2.3.0/24] and configure your forms auth to allow unauthenticated requests when accompanied by a pre-set token. 查找DHCP服务器正在分配的范围[例如：1.2.3.0/24]并配置表单身份验证，以便在附带预设令牌时允许未经身份验证的请求。
eg: requests from 1.2.3.4 are permitted when token is set to d8e8fca2dc0f896fd7cb4cb0031ba249 like: 例如：当token设置为d8e8fca2dc0f896fd7cb4cb0031ba249时，允许来自1.2.3.4的请求：
http://yourdomain.com/dir/script.php?token=d8e8fca2dc0f896fd7cb4cb0031ba249