> I've had enough of writing my own dodgy authentication scripts
> and hiding variables all over the place whilst trying to manage
> state. It seems that mod_auth_mysql is the 'proper' way to do
> this, but first a couple of questions :
> [in a previous thread, Herbert wrote]
> >My understanding of mod_auth_mysql is, that when
> >you try to access a protected site a login window
> >appears where you have to enter login and password.
> Is it possible to do away with the pop-up login window and use
> a normal HTML form within a webpage like hotmail/yahoo etc ?
> (purely aesthetic value).
> [in a much earlier thread, Brian Gentry wrote]
> >Then the username/password is passed each time as part of the HTTP
> >headers. You just grab the REMOTE_USER environment variable to get the
> >username, and lookup the password in the db (accessing as the web server).
> >The password is not available to you in the CGI, but the web server does
> >check it each time.
> Wait, do I understand this correctly - Even after the first
> challenge (ie. once the user has been authenticated), all
> subsequent HTTP requests still result in Apache checking
> the username/password ? Doesn't this mean that a single web
> page with 10 graphics will still result in 11 MySQL Apache-to
> -MySQL queries ? I would have thought that once the user is
> authenticated, Apache wouldn't need to query MySQL for subsequent
> requests. Or would that be too easy for somebody to spoof ?
> It just seems like this could become quite a burden on heavy sites.
> If mod_auth_mysql really does result in so many queries (ie. one
> for each and every file requested), I guess the authentication
> table is a prime candidate for a heap table.
> Insights welcomed. Thank you very much,
If this becomes too painful for you in what you're doing, pitch me an
I designed something like this a couple months ago that never flew.
it's a php application that contains a username/passwd field in an HTML
on the front page, then, pitches those values to an authentication
checks for a valid e-mail, and, username on a specific server.
It does this without the http challenge-response stuff, so, there's not
dialog boxes. You can also allow the user to select the password
with the mysql password() function, if you want to use the e-mail
Linux rocks!!! http://www.dedserius.com