Providing Authentication to users on a Secure Subnet

I have a website that is built around a web-application that my
company purchased. My company has full ownership and administrative
rights to this software and its corresponding files. It uses HTTP
Basic Authentication and that cannot be changed at all (it is compiled
into the web-application itself).

This is my problem:

We have a secure subnet (a customer of ours) that regularly uses this
website and they don't want to have to log in to this server (as they
have already had to log in to their own network). We used to get
around this problem by using the username and password on the URL line
(http://username:password@www.website.com/) but since Microsoft
eliminated that with one of their service packs it is no longer
possible. (And the customer won't go to all their computers
....numbering some 200-300... and change the registry). Is their any
way to supply the client browser with the proper credentials through
scripting (or any mechanism, for that matter) so that this automation
can be achieved WITHOUT any browser-user interaction?

My idea was to point the customer to an different "home page" for this
website, check their REMOTE_ADDR to see if they are in the approved
subnet, and, if so, give them the username and password whereupon they
would be pointed to the original home page. I'm getting stuck at the
point where those credentials need to be implemented by the browser
without the user's intervention.

Any insight into this problem would be greatly appreciated.

Thanks,
Tom

"Nobody" <nobody@nowhere.com> wrote in message
news:s5ijr01bcdd1fb1otup9gi4874tgdntqso@4ax.com...
> I have a website that is built around a web-application that my
> company purchased. My company has full ownership and administrative
> rights to this software and its corresponding files. It uses HTTP
> Basic Authentication and that cannot be changed at all (it is compiled
> into the web-application itself).
>
> This is my problem:
>
> We have a secure subnet (a customer of ours) that regularly uses this
> website and they don't want to have to log in to this server (as they
> have already had to log in to their own network). We used to get
> around this problem by using the username and password on the URL line
> (http://username:password@www.website.com/) but since Microsoft
> eliminated that with one of their service packs it is no longer
> possible. (And the customer won't go to all their computers
> ...numbering some 200-300... and change the registry). Is their any
> way to supply the client browser with the proper credentials through
> scripting (or any mechanism, for that matter) so that this automation
> can be achieved WITHOUT any browser-user interaction?
>
> My idea was to point the customer to an different "home page" for this
> website, check their REMOTE_ADDR to see if they are in the approved
> subnet, and, if so, give them the username and password whereupon they
> would be pointed to the original home page. I'm getting stuck at the
> point where those credentials need to be implemented by the browser
> without the user's intervention.
>
> Any insight into this problem would be greatly appreciated.

Create a proxy server of sort with PHP. Your special customers would go to a
URL looking something like this:

http://www.website.com/proxy.php/som....jsp?ASD=12345

The web server would launch proxy.php, with /somewhere/outthere.jsp as the
PATH_INFO. The script now checks REMOTE_ADDR, then retrieve the contents
from the web application with a call to readfile():

<?php readfile(http://user:pass@www.website.com$PATH_IFNO?$QUERY_STRING" );
?>

If you want to get fancy, you can use Apache rewrite to reroute visitors
from the specific IP range:

RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.[8-9]$
RewriteRule ^/(.*) /proxy.php/$1

Now they don't have to use remember the special URL.