mixing basic_auth and CGI authentication

I have a small site where each page is generated on the fly by CGI. I used basic_auth to protect all the pages. Now customers want to access the site like this:

https://www.mysite.com?username=alan&password=mead

Note that https://alan:mead@www.mysite.com does *not* work (I can elaborate).

I am using Linux and Apache.

Q1: Is there any way to write server-side code that will allow users to access the site in this manner? All the CGI's that I know wouldn't prevent Apache from doing the 401 dialog with the user's browser.

Q2: Assume I need to switch to a "CGI-based" authentication scheme and I have a lot of existing users whose password only exists (hashed) in a htpasswd file. Does anyone know a way to either (a) decrypt/crack the existing passwords or (b) mimic the Apache authentication hash-matching?

-Alan

A1: I would advise against doing this, since it appears that it can potentially open a security hole and cause more of a headache trying to code. Basically, when Apache authenticates, it sets the environment variable REMOTE_USER to the username, so that is checks this value for subsequent requests. Therefore in elminating Apache authentication method, your cgi-script will have to somehow maintain state so that it knows that the user has already been authenticated. And since cgi-scripts are stateless, you will have to comeup with a way accomplish this. However, if you really want your own customized authentication, write an Apache Authenication handler. This is probably the best route. If you knwo Perl you should have no problem writing one.

A2: You can use the HTTPD::UserAdmin perl module to check against existing passwords.
It provides a function that accepts a plain text password and then encrypts it and matches it against the existing encrypted password in the htpasswd file.

Hope this helps.


<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by amead:
I have a small site where each page is generated on the fly by CGI. I used basic_auth to protect all the pages. Now customers want to access the site like this:

https://www.mysite.com?username=alan&password=mead

Note that https://alan:mead@www.mysite.com does *not* work (I can elaborate).

I am using Linux and Apache.

Q1: Is there any way to write server-side code that will allow users to access the site in this manner? All the CGI's that I know wouldn't prevent Apache from doing the 401 dialog with the user's browser.

Q2: Assume I need to switch to a "CGI-based" authentication scheme and I have a lot of existing users whose password only exists (hashed) in a htpasswd file. Does anyone know a way to either (a) decrypt/crack the existing passwords or (b) mimic the Apache authentication hash-matching?

-Alan
[/quote]