3

Here is what I am dealing with. I have the following in httpd.conf file. This forces authentication on 127.0.0.1/example as intended. 

<Location /example/>
   AuthType Basic
   AuthName ...
   AuthUser File ...
   Require valid-user
</Location>

I also have a php file as follows (http://127.0.0.1/pre2.php)

<?php if(isMember()=='access'){?>
<iframe src="http://127.0.0.1/example" style="border: none; width:100%; height:1100px;"></iframe>
<?php
}?>

I need to make sure authentication doesn't get called by apache when 127.0.0.1/example is accessed via iframe in pre2.php.

Vishnu
  • 11,614
  • 6
  • 51
  • 90
Sam Kingston
  • 817
  • 1
  • 10
  • 19

2 Answers2

2

Unless you can pass some authentication information to the /example request, there's not going to be a way to do this without someone being able to circumvent authentication. You can't check the Referer header because that can be forged.

What you're better off doing, is in your pre2.php script, instead of linking to the /example content via an iframe, can you just read the content and insert it.

Jon Lin
  • 142,182
  • 29
  • 220
  • 220
  • I can't do that because the file is an executable that needs to be visited. Is there any way to wrap the url in something other than iframe then write a rule to satisfy all? Or, to autofill the authentication dialog using master username and password without revealing to general public? – Sam Kingston Sep 28 '15 at 01:13
0

For some reason it won't let me add a comment under yours. But I misunderstood your question I think. Yeah, I suppose that you are correct. What about doing an include on the file? Does that get around it?

Imperialized
  • 443
  • 1
  • 4
  • 13