HTTP Preauthorization

At http://localhost/tmp/ I have a form that asks for the user and password (authentication). After the user posts (hits OK) I want to redirect the user to http://localhost/test/ which uses Apache's Basic AuthType. Happens that the user and password just typed in the form are exactly the credentials to authenticate at http://localhost/test/ What I want is the solution so that the user is not asked for the password in the second address. So far I was able to pass the 'Authorization: Basic "base64_encoded user and password"' with CURL (usin开发者_C百科g GET), and get the response I want (contents of test/index.html, for example). However, that's curl getting the info instead of my browser redirecting there with preauthorization. That is, if I type http://localhost/test/ in the address bar it asks for the password again. Any ideas? Any clarification needed?

The problem is that the authorization state is maintained in the browser, and there's no real way to tell the browser it's authorized.

Most systems rely on a Cookie system, but BASIC/DIGEST HTTP AUTH are HTTP headers. So, only the browser can set those.

I should say, for normal every day requests -- you might (I'm not sure) be able to set the headers in an XHR.

Could you simply set the form submit location to the redirect destionation http://localhost/test/ and take care fo the authentication here?

As an aside, Fiddler is a great tool for debugging this sort of thing

Will's answer points you in the right direction.

In IE at least, it works to send an XHR request (to some throwaway page) with the Username/Password parameters (in the Open() call) set. Doing that will cache this username and password internally for the browser session, and so when you subsequently visit other pages on the server, the authentication SHOULD automatically happen for those pages.

I can't say if this trick works in other browsers or not.