Home/ Questions/Q 6191893
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T02:50:46+00:00

The two paragraphs after this are background information in case I’m thinking of this

  • 0

The two paragraphs after this are background information in case I’m thinking of this problem wrong. The actual question is after.

I’m creating an application for an organization that uses Pubcookie. In the past this has been incredibly convenient because I haven’t had to implement any session authentication in order to get a user name; in PHP all I need to do is get $_SERVER[‘REMOTE_USER’] as long as the server is configured to require a valid user.

These past applications all require a login to see any content; the Apache configuration in .htaccess causes any unauthenticated users to redirect to the login server to obtain credentials. Now I’m considering an optional login system, like is used most everywhere else on the internet. I want the content to always be visible but allow the application to request a valid username.

Here’s the problem: If the user is not authenticated and I am forcing authentication, pubcookie redirects them to the login server to get authenticated. If the user is authenticated, and I am forcing authentication, I can get the authentication information in $_SERVER[‘REMOTE_USER’]. If, however, the user is authenticated but I am NOT requiring authentication, I cannot get the authentication information. In order to request that information I have to require it, which locks out anonymous users.

How do I get the Pubcookie authenticated user name if it exists, without requiring that it exist? Asked another way, is there a way to get the user name that might sometimes return “no, there is no user name”? I’ve looked into PubcookieOnDemand and it seems I can set up a login script that’s behind the .htaccess authentication requirement, which can set the ondemand cookie after login. However, this is not ideal as it requires the user to go to the login page whether or not the user is already authenticated. Also, there’s no way to remove the ondemand cookie if the authentication expires, because the scripts don’t get control until after authentication.

The only solution I’ve been able to find is to have a login link that stores the pubcookie authentication and hands it off to an application-managed session, but I’m feeling lazy and don’t want to tackle the problem of securely tracking a user session right now. If you have some good information on doing that, though, feel free to pass me a link in a comment.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well it looks like I’ve found my own answer in the PubcookieNoPrompt Apache directive. It does…exactly what I want. It just needs to be paired with a login script that has the directive turned off, like so:

    .htaccess:

    PubcookieAppID #APPID#
PubcookieNoPrompt on
AuthType NetID
require valid-user

<Files login.php>
  PubcookieNoPrompt off
</Files>

    The login.php file can do anything, including redirect the user based on GET data back to the page that had the login link.

    • 0