mdougan
asked on
How to redirect to an htaccess protected folder without generating the prompt to sign in....
Say you have a website, some of it open to the public, some open to members only… the member’s only section is protected with an htaccess defined user… but, you don’t want to have to set up all the members individually through that file… so, you create a form, get the user to enter a user id and password, bring that into a PHP script, query your MySQL Database, compare that to what’s on file for that user…. and then, if matched, redirect them to the page that is in the htaccess protected section of the site…. however, you don’t want HTTP to prompt them to enter the user id as defined in the htaccess file… you want to pass that along in the redirect…..
So, a normal redirect would look like:
header("Location: http://www.mysite.org/member/");
OR
header("Location: http://www.mysite.org/member/index.htm");
Both of those invoke the HTTP Prompt.
I’ve tried something like this:
header("Location: http://MYUSER:MYPASSWORD@mysite.org/member/");
OR
header("Location: http://MYUSER:MYPASSWORD@www.mysite.org/member/");
Where MYUSER is the user defined in the htaccess file and MYPASSWORD the password, but get an invalid URL message if I'm using IE. I understand that this syntax would work with Mozilla or other browsers... but I need a solution that will work for all browsers.
I’ve also tried this, but it doesn’t seem to do anything (still get HTTP Prompt)
$_SERVER['PHP_AUTH_USER'] = 'MYUSER';
$_SERVER['PHP_AUTH_PW'] = 'MYPASSWORD';
header("Location: http://www.mysite.org/members/");
The member folder is protected by the htaccess stuff. Basically, I want to provide the userid and password as defined in the htaccess file behind the scenes and do the actual user authentication myself through lookups to our member MySQL database.
I've also tried mod_auth_mysql but our webhost is not set up to allow that kind of authorization.
Any ideas?
So, a normal redirect would look like:
header("Location: http://www.mysite.org/member/");
OR
header("Location: http://www.mysite.org/member/index.htm");
Both of those invoke the HTTP Prompt.
I’ve tried something like this:
header("Location: http://MYUSER:MYPASSWORD@mysite.org/member/");
OR
header("Location: http://MYUSER:MYPASSWORD@www.mysite.org/member/");
Where MYUSER is the user defined in the htaccess file and MYPASSWORD the password, but get an invalid URL message if I'm using IE. I understand that this syntax would work with Mozilla or other browsers... but I need a solution that will work for all browsers.
I’ve also tried this, but it doesn’t seem to do anything (still get HTTP Prompt)
$_SERVER['PHP_AUTH_USER'] = 'MYUSER';
$_SERVER['PHP_AUTH_PW'] = 'MYPASSWORD';
header("Location: http://www.mysite.org/members/");
The member folder is protected by the htaccess stuff. Basically, I want to provide the userid and password as defined in the htaccess file behind the scenes and do the actual user authentication myself through lookups to our member MySQL database.
I've also tried mod_auth_mysql but our webhost is not set up to allow that kind of authorization.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, I tried to implement this... made the htaccess file like the one you had, except that to find the finder.php file I had to take the slash off the front of the ErrorDocument ... the result was that I got a Forbidden error, and additionally, it told me that I got an internal server error 500 while trying to implement an ErrorDocument or something like that..... any idea what would be going on here?
you will need to add an exception to your htaccess:
<Files finder.php>
allow from all
</Files>
this should make it so that finder is no longer 403'd
ASKER
OK, I had to put the slash back in front of the finder.php... so, now my htaccess file looks like:
Order Allow,Deny
Deny from all
# To allow execution of cgi scripts in this directory uncomment next two lines
#AddHandler cgi-script .bat .exe .pl .cgi
Options -Indexes
ErrorDocument 403 /finder.php
<FilesMatch "\.(gif|png|pdf|jpg|jpeg|s wf)$">
Allow from all
</FilesMatch>
<Files finder.php>
allow from all
</Files>
My finder.php file looks like:
<?php
//echo $_SERVER['REQUEST_URI'];
$file = $_SERVER["DOCUMENT_ROOT"] . $_SERVER["REQUEST_URI"];
if (file_exists($file))
{
if(isset($f_mysite_auth)) {
include_once($file);
}
else
{
include_once("http://www.mysite.org/authentication.html");
//header("Location: http://www.mysite.org/authentication.html");
//exit;
}
}
else
{
include "error.php";
}
?>
When I try to navigate to :
http://www.mysite.org/member/index.htm
I get a text echo saying something like "no input file specified"
I'd commented out the echo that you had at the top of the finder.php, but I've also tried it uncommented... never see anything echoed ...
Basically, if an error is generated, I'm hoping that this finder.php will execute... it will look for a cookie value, if the cookie value is not set it will try to redirect to a page that is outside of the member directory which is going to ask the user for a user id and password... that will post to a php script that will authenticate the user and if authenticated, it will write the cookie and then redirect to the /member/index.htm page... which would then generate an error... invoke finder.php... etc... do you see anything else wrong here?
Order Allow,Deny
Deny from all
# To allow execution of cgi scripts in this directory uncomment next two lines
#AddHandler cgi-script .bat .exe .pl .cgi
Options -Indexes
ErrorDocument 403 /finder.php
<FilesMatch "\.(gif|png|pdf|jpg|jpeg|s
Allow from all
</FilesMatch>
<Files finder.php>
allow from all
</Files>
My finder.php file looks like:
<?php
//echo $_SERVER['REQUEST_URI'];
$file = $_SERVER["DOCUMENT_ROOT"] . $_SERVER["REQUEST_URI"];
if (file_exists($file))
{
if(isset($f_mysite_auth)) {
include_once($file);
}
else
{
include_once("http://www.mysite.org/authentication.html");
//header("Location: http://www.mysite.org/authentication.html");
//exit;
}
}
else
{
include "error.php";
}
?>
When I try to navigate to :
http://www.mysite.org/member/index.htm
I get a text echo saying something like "no input file specified"
I'd commented out the echo that you had at the top of the finder.php, but I've also tried it uncommented... never see anything echoed ...
Basically, if an error is generated, I'm hoping that this finder.php will execute... it will look for a cookie value, if the cookie value is not set it will try to redirect to a page that is outside of the member directory which is going to ask the user for a user id and password... that will post to a php script that will authenticate the user and if authenticated, it will write the cookie and then redirect to the /member/index.htm page... which would then generate an error... invoke finder.php... etc... do you see anything else wrong here?
it looks right to me... if you have access to the error logs for your server, see if anything is showing up
also is your finder.php in your directory root?
also is your finder.php in your directory root?
ASKER
Have access to a file called access-log which seems to show when and what pages are being accessed, but didn't see any of the errors that I'd generated.... I might find them through the normal control panel we use to administer the site...
I put the finder.php in the /member directory which is the protected directory... I assumed that this is where I'd want it?
my authentication.html and my logon.php files are in the root directory, authentication.html is just a form that posts the users id and password to logon which does the db query, writes the cookie and tries to redirect to /member/index.htm .....
I put the finder.php in the /member directory which is the protected directory... I assumed that this is where I'd want it?
my authentication.html and my logon.php files are in the root directory, authentication.html is just a form that posts the users id and password to logon which does the db query, writes the cookie and tries to redirect to /member/index.htm .....
for my site, I keep it in a directory above. I had the same sort of trouble with htaccess
and 90% of the websites out there that talk about it are either too hard to understand or don't show me how to do anything useful...
and 90% of the websites out there that talk about it are either too hard to understand or don't show me how to do anything useful...
ASKER
Hey! 99% success! I t hink at some point I was copying updates to the finder to the wrong place, as I had copies in both the root and in the member area... still not sure where the right location is, but that will be easy enough to determin... at least now, they're both the latest and greatest...
It all worked as expected. Sweet... now, my only problem comes when trying to run a php script that is under my /member/phpMyAdmin folder.... it would be great if I could allow that folder to be controlled by a different htaccess file and not the one in the /member folder, is that possible? because when I try to navigate to:
http://www.mysite.org/member/phpMyAdmin/
I get this error:
Warning: main(): Unable to access ./libraries/grab_globals.l ib.php in /home/www/mysite/member/ph pMyAdmin/i ndex.php on line 8
Warning: main(./libraries/grab_glob als.lib.ph p): failed to open stream: No such file or directory in /home/www/mysite/member/ph pMyAdmin/i ndex.php on line 8
Thinking that it might be looking for the actual file name I'm trying to run which is index.php I gave it this url:
http://www.mysite.org/member/phpMyAdmin/index.php
And then got this error in addition to the other two:
Fatal error: main(): Failed opening required './libraries/grab_globals. lib.php' (include_path='.:/usr/loca l/lib/php' ) in /home/www/mysite/member/ph pMyAdmin/i ndex.php on line 8
I'll be accepting your response above as the solution, thanks!
It all worked as expected. Sweet... now, my only problem comes when trying to run a php script that is under my /member/phpMyAdmin folder.... it would be great if I could allow that folder to be controlled by a different htaccess file and not the one in the /member folder, is that possible? because when I try to navigate to:
http://www.mysite.org/member/phpMyAdmin/
I get this error:
Warning: main(): Unable to access ./libraries/grab_globals.l
Warning: main(./libraries/grab_glob
Thinking that it might be looking for the actual file name I'm trying to run which is index.php I gave it this url:
http://www.mysite.org/member/phpMyAdmin/index.php
And then got this error in addition to the other two:
Fatal error: main(): Failed opening required './libraries/grab_globals.
I'll be accepting your response above as the solution, thanks!
ASKER
If that is basically how it works, then I suppose that once they get to a protected html page and click a link to another protected html page, that's going to generate another error... so, I'd do my authentication in the finder.php script and perhaps set a session cookie... check the session cookie before prompting the user?