How to stop shortcut logins?!?!
 

Is it possible to stop members logging in using the http://username:[email protected] format?

And force an authentication box onto them?

Cheers.

G

/\ BUMP /\

also looking for an answer to this question

Not sure but wouldn't a referrer check do the trick?

You may find your answer here: http://groups.google.com/ :)

I asked someone about this, and got a suggestion for my htaccess files. Unfortunately, neither of us could make it work. I would really love a solution about this.

Try to add the following to your htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*domain.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule /* http://www.domain.com/ [L,R]


Nevermind. Just tried it and it didn't work....

Yes there is. Check the referring url upon login and if it isnt from y our pre-login page/domain you reject the login.

Yes it would!

I fiddled around with this myself, and from my experiments concluded that the user:pass@host format is local only - it's not actually passed through to the web server. The referer solution is probably your best bet, although it will cause problems with software that blocks it.

I thought it might be local only, based on the kinds of failures we saw. That is a shame. Does anyone else mostly hate these because of public (free) trackers?

The paysites I've worked for had that problem a few years ago, but when I switched them over to a password protected paycounter it was never a problem again. Not sure why else anyone would want to block the quick login..... it's pretty convenient for members, especially regular long timers.

switching to a 'script-based' authentication model instead of 'server-based (straight .htaccess -> .htpasswd), will solve this problem... people will be forced to go through a login gateway that relies on a script to call to .htpasswd, and i don't believe it can be crossed by user:pass@host login attempts... pw sentry uses a script-based auth model, i highly recommend it..