Solved

POST .htpasswd using php variables!

Posted on 2004-03-30
11
463 Views
Last Modified: 2008-02-01

Hello,

I have a database where users can login with php/mysql and what I want to do now is to create a protected directory on an extern server with .htaccess/.htpasswd but I don't want to create now every user again and put them into the .htpasswd file.
Is it possible to realize this intention using a php page with redirection to this domain/directory in which a "global" user/password is set as variable and automatically has access to the protected directory?

I tried it with:
$PHP_AUTH_USER = "myuser";
$PHP_AUTH_PW = "mypassword";
and
$_SERVER['PHP_AUTH_USER'] = "myuser";
$_SERVER['PHP_AUTH_USER'] = ",mypassword";

but without any success, after redirection the HTTP-AUTH window is poping up askind the username/password.

j79
0
Comment
Question by:j79
  • 7
  • 4
11 Comments
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
it's hard to realize but yes you could, though i could hardly point the how-to.
... the point is is that usefull ? u could much more easily add a security of your own on the pages you are willing to protect.

a simple line such as if authorization=1 would probably do the trick allright as long as you don't accept includes

follows part of my own security, which will accept the inclusion of 'connect.php', and only that one.

if(!$INCLUDES=get_included_files()+ get_required_files() or substr($INCLUDES[0],-11)!="connect.php" or count($INCLUDES)!=1)){

beware that some versions will stick in the $INCLUDES table the page itself so u may need to adapt.

u will also need to check if the posting has been hacked but this is fairly easy using a simple self-made coding function.
mine takes any 4 digits and returns a number between 1 and 100 wich is completely unliked to the original (ie 1547 may return 21 and 1548 may return 85... see what i mean ?)

the reason for this is that most of the would-be hackers know how to hack a htaccess and i guess this is one of the unusual occasions where security-through-obfuscation is usefull and efficient if you take care.
0
 
LVL 2

Author Comment

by:j79
Comment Utility

Hello skullnobrains,

thank you for the answer.
What about files like mp3/jpg/gif in this directory? They aren't prevented from outside access if I don't set a password protected directory!

j79
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
if you need to protect such things, yes you may need to automate login through htaccesses
using cookies, try : http://www.raburton.lunarpages.com/apache/mod_auth_cookie/
using headers, refer to the rfc 2617 (following is an extract, most lines could probably be skipped)
<<
3.2.2 The Authorization Request Header

   The client is expected to retry the request, passing an Authorization
   header line, which is defined according to the framework above,
   utilized as follows.

       credentials      = "Digest" digest-response
       digest-response  = 1#( username | realm | nonce | digest-uri
                       | response | [ algorithm ] | [cnonce] |
                       [opaque] | [message-qop] |
                           [nonce-count]  | [auth-param] )

       username         = "username" "=" username-value
       username-value   = quoted-string
       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1
       message-qop      = "qop" "=" qop-value
       cnonce           = "cnonce" "=" cnonce-value
       cnonce-value     = nonce-value
       nonce-count      = "nc" "=" nc-value
       nc-value         = 8LHEX
       response         = "response" "=" request-digest
       request-digest = <"> 32LHEX <">
       LHEX             =  "0" | "1" | "2" | "3" |
                           "4" | "5" | "6" | "7" |
                           "8" | "9" | "a" | "b" |
                           "c" | "d" | "e" | "f"

>>

the other solution (much more sure but slightly slower) is to store the files out of the apache web directory and use php to directly handle the file either through streaming or storing in temporate files (using changing names will prevent multiple downloads).

please beware that if u use authentication through htaccess and headers, you probably will want to create session-based passwords dynamically (which is the easy part) as the user will be able to retrieve them from the browser history.

i would need to know a bit more on your goals to try and make a resonnable and more deeply precise suggestion.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
actually i just came accross something simpler :

allow from $remote_ip
deny from all

your php page changes the htacces dynamically (ie u must log the date and time each ip was added and erase them after a few minutes...)

you go through all the server variables that can give clue as to the ip of the client (in case of proxies) and refuse of course any local adress.

in this case a limited number of proxies may not let the user through but they are very seldom. i assume you coul'd ask that few users to logon manually as most of them hide themselves on purpoise and will be used to such things.

would this be enough for your site ? of couse you can only protect directories but all the files in each specific directory could be accessed all the same.
0
 
LVL 2

Author Comment

by:j79
Comment Utility

That sounds good skullnobrains.
I'll give 125 points if you give me a short advice how the .htaccess file should look like.
I think that I can do a php with cookies for writing the .htaccess site.

j79
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 26

Accepted Solution

by:
skullnobrains earned 125 total points
Comment Utility
This only requires the .htaccess file.  There are two approaches to restricting by IP address:

a) deny everyone access, then allow certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>

b) allow everyone except for certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>

this is an extract from http://home.golden.net/htaccess.html
('htaccess allow by ip' lookup in google)
... and should answer that question better than i would ;)

cheers

ps : i assumed your post refered to my last. if not i'll pop in in a few days.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
by the way, if you want a script that pulls out the passwords from the db and creates an htpassword accordingly, this is fairly easy but then you will want the htpassword to be updates automatically which is more painfull...but we got to be a little masochist to like them programs, dont we ?
0
 
LVL 2

Author Comment

by:j79
Comment Utility

Thank you skullnobrains,

I made a htaccess like:

deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net

without <LIMIT ...> and it seems to work very well.
The htaccess is now being updated from a database with IP's of current valid sessions.

Thank you for your help
j79

0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
cool if you found out and sorry this did not come up sooner
i guess when you say 'like' u adapted to your needs if it works
... and i dunno what the hell the '<limit>' thing is usefull here
0
 
LVL 2

Author Comment

by:j79
Comment Utility

I think it's something to limit the GET-size of the file/site.

Don't also know it :)

Thanx again
j79
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
http://web.nwe.ufl.edu/writing/help/web/authoring/apache/limit.html
if u're interested, the limit directive is explained here and the rest of the site is good info on apache (quick reference for simple tasks)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now