?
Solved

POST .htpasswd using php variables!

Posted on 2004-03-30
11
Medium Priority
?
473 Views
Last Modified: 2008-02-01

Hello,

I have a database where users can login with php/mysql and what I want to do now is to create a protected directory on an extern server with .htaccess/.htpasswd but I don't want to create now every user again and put them into the .htpasswd file.
Is it possible to realize this intention using a php page with redirection to this domain/directory in which a "global" user/password is set as variable and automatically has access to the protected directory?

I tried it with:
$PHP_AUTH_USER = "myuser";
$PHP_AUTH_PW = "mypassword";
and
$_SERVER['PHP_AUTH_USER'] = "myuser";
$_SERVER['PHP_AUTH_USER'] = ",mypassword";

but without any success, after redirection the HTTP-AUTH window is poping up askind the username/password.

j79
0
Comment
Question by:j79
  • 7
  • 4
11 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 10721804
it's hard to realize but yes you could, though i could hardly point the how-to.
... the point is is that usefull ? u could much more easily add a security of your own on the pages you are willing to protect.

a simple line such as if authorization=1 would probably do the trick allright as long as you don't accept includes

follows part of my own security, which will accept the inclusion of 'connect.php', and only that one.

if(!$INCLUDES=get_included_files()+ get_required_files() or substr($INCLUDES[0],-11)!="connect.php" or count($INCLUDES)!=1)){

beware that some versions will stick in the $INCLUDES table the page itself so u may need to adapt.

u will also need to check if the posting has been hacked but this is fairly easy using a simple self-made coding function.
mine takes any 4 digits and returns a number between 1 and 100 wich is completely unliked to the original (ie 1547 may return 21 and 1548 may return 85... see what i mean ?)

the reason for this is that most of the would-be hackers know how to hack a htaccess and i guess this is one of the unusual occasions where security-through-obfuscation is usefull and efficient if you take care.
0
 
LVL 2

Author Comment

by:j79
ID: 10728568

Hello skullnobrains,

thank you for the answer.
What about files like mp3/jpg/gif in this directory? They aren't prevented from outside access if I don't set a password protected directory!

j79
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 10731872
if you need to protect such things, yes you may need to automate login through htaccesses
using cookies, try : http://www.raburton.lunarpages.com/apache/mod_auth_cookie/
using headers, refer to the rfc 2617 (following is an extract, most lines could probably be skipped)
<<
3.2.2 The Authorization Request Header

   The client is expected to retry the request, passing an Authorization
   header line, which is defined according to the framework above,
   utilized as follows.

       credentials      = "Digest" digest-response
       digest-response  = 1#( username | realm | nonce | digest-uri
                       | response | [ algorithm ] | [cnonce] |
                       [opaque] | [message-qop] |
                           [nonce-count]  | [auth-param] )

       username         = "username" "=" username-value
       username-value   = quoted-string
       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1
       message-qop      = "qop" "=" qop-value
       cnonce           = "cnonce" "=" cnonce-value
       cnonce-value     = nonce-value
       nonce-count      = "nc" "=" nc-value
       nc-value         = 8LHEX
       response         = "response" "=" request-digest
       request-digest = <"> 32LHEX <">
       LHEX             =  "0" | "1" | "2" | "3" |
                           "4" | "5" | "6" | "7" |
                           "8" | "9" | "a" | "b" |
                           "c" | "d" | "e" | "f"

>>

the other solution (much more sure but slightly slower) is to store the files out of the apache web directory and use php to directly handle the file either through streaming or storing in temporate files (using changing names will prevent multiple downloads).

please beware that if u use authentication through htaccess and headers, you probably will want to create session-based passwords dynamically (which is the easy part) as the user will be able to retrieve them from the browser history.

i would need to know a bit more on your goals to try and make a resonnable and more deeply precise suggestion.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:skullnobrains
ID: 10731962
actually i just came accross something simpler :

allow from $remote_ip
deny from all

your php page changes the htacces dynamically (ie u must log the date and time each ip was added and erase them after a few minutes...)

you go through all the server variables that can give clue as to the ip of the client (in case of proxies) and refuse of course any local adress.

in this case a limited number of proxies may not let the user through but they are very seldom. i assume you coul'd ask that few users to logon manually as most of them hide themselves on purpoise and will be used to such things.

would this be enough for your site ? of couse you can only protect directories but all the files in each specific directory could be accessed all the same.
0
 
LVL 2

Author Comment

by:j79
ID: 10734910

That sounds good skullnobrains.
I'll give 125 points if you give me a short advice how the .htaccess file should look like.
I think that I can do a php with cookies for writing the .htaccess site.

j79
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 10749230
This only requires the .htaccess file.  There are two approaches to restricting by IP address:

a) deny everyone access, then allow certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>

b) allow everyone except for certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>

this is an extract from http://home.golden.net/htaccess.html
('htaccess allow by ip' lookup in google)
... and should answer that question better than i would ;)

cheers

ps : i assumed your post refered to my last. if not i'll pop in in a few days.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 10749246
by the way, if you want a script that pulls out the passwords from the db and creates an htpassword accordingly, this is fairly easy but then you will want the htpassword to be updates automatically which is more painfull...but we got to be a little masochist to like them programs, dont we ?
0
 
LVL 2

Author Comment

by:j79
ID: 10749616

Thank you skullnobrains,

I made a htaccess like:

deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net

without <LIMIT ...> and it seems to work very well.
The htaccess is now being updated from a database with IP's of current valid sessions.

Thank you for your help
j79

0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 10750268
cool if you found out and sorry this did not come up sooner
i guess when you say 'like' u adapted to your needs if it works
... and i dunno what the hell the '<limit>' thing is usefull here
0
 
LVL 2

Author Comment

by:j79
ID: 10750302

I think it's something to limit the GET-size of the file/site.

Don't also know it :)

Thanx again
j79
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 10750344
http://web.nwe.ufl.edu/writing/help/web/authoring/apache/limit.html
if u're interested, the limit directive is explained here and the rest of the site is good info on apache (quick reference for simple tasks)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question