We’ll start by observing that web servers aren’t the only things that can issue Authorization: headers. Scripts can do that too. Example 12.1 is a simple Perl script that challenges for a name and password, just as an authenticating web server does.

use MIME::Base64;

if ( ! defined $ENV{HTTP_AUTHORIZATION} )    # if no Authorization: header
  {     
  print "HTTP/1.0 401 Authentication\n";     # issue authorization challenge
  print "WWW-Authenticate: Basic realm=\"subscribers\"\n\n";
  return;
  }

print "HTTP/1.0 200 Ok\n";                   # needed for ISAPI Perl or mod_perl
print "Content-type: text/html\n\n";         # the standard header
$ENV{HTTP_AUTHORIZATION} =~ m/Basic (.+)/i;  # get MIME-encoded credentials
print "Hello " . decode_base64($1);          # print "Hello Aladdin:open sesame"

We’ve introduced another CPAN module here. MIME::Base64 converts back and forth between plain text and the Base64 encoding used by the HTTP basic authentication protocol. If you put this code in a file called auth.pl, put that file into the /cgi-bin directory of an Apache web server, and ask your browser to fetch /cgi-bin/auth.pl, you’ll provoke an authentication dialog. Type in the credentials Aladdin and open sesame and you’ll get the reponse Hello Aladdin:open sesame.

If that doesn’t work, define the symbol SECURITY_HOLE_PASS_AUTHORIZATION and rebuild Apache. What? Open a security hole? Well, here’s what the Apache source code says about allowing scripts ...