j79
asked on
POST .htpasswd using php variables!
Hello,
I have a database where users can login with php/mysql and what I want to do now is to create a protected directory on an extern server with .htaccess/.htpasswd but I don't want to create now every user again and put them into the .htpasswd file.
Is it possible to realize this intention using a php page with redirection to this domain/directory in which a "global" user/password is set as variable and automatically has access to the protected directory?
I tried it with:
$PHP_AUTH_USER = "myuser";
$PHP_AUTH_PW = "mypassword";
and
$_SERVER['PHP_AUTH_USER'] = "myuser";
$_SERVER['PHP_AUTH_USER'] = ",mypassword";
but without any success, after redirection the HTTP-AUTH window is poping up askind the username/password.
j79
ASKER
Hello skullnobrains,
thank you for the answer.
What about files like mp3/jpg/gif in this directory? They aren't prevented from outside access if I don't set a password protected directory!
j79
if you need to protect such things, yes you may need to automate login through htaccesses
using cookies, try : http://www.raburton.lunarpages.com/apache/mod_auth_cookie/
using headers, refer to the rfc 2617 (following is an extract, most lines could probably be skipped)
<<
3.2.2 The Authorization Request Header
The client is expected to retry the request, passing an Authorization
header line, which is defined according to the framework above,
utilized as follows.
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"
>>
the other solution (much more sure but slightly slower) is to store the files out of the apache web directory and use php to directly handle the file either through streaming or storing in temporate files (using changing names will prevent multiple downloads).
please beware that if u use authentication through htaccess and headers, you probably will want to create session-based passwords dynamically (which is the easy part) as the user will be able to retrieve them from the browser history.
i would need to know a bit more on your goals to try and make a resonnable and more deeply precise suggestion.
using cookies, try : http://www.raburton.lunarpages.com/apache/mod_auth_cookie/
using headers, refer to the rfc 2617 (following is an extract, most lines could probably be skipped)
<<
3.2.2 The Authorization Request Header
The client is expected to retry the request, passing an Authorization
header line, which is defined according to the framework above,
utilized as follows.
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"
>>
the other solution (much more sure but slightly slower) is to store the files out of the apache web directory and use php to directly handle the file either through streaming or storing in temporate files (using changing names will prevent multiple downloads).
please beware that if u use authentication through htaccess and headers, you probably will want to create session-based passwords dynamically (which is the easy part) as the user will be able to retrieve them from the browser history.
i would need to know a bit more on your goals to try and make a resonnable and more deeply precise suggestion.
actually i just came accross something simpler :
allow from $remote_ip
deny from all
your php page changes the htacces dynamically (ie u must log the date and time each ip was added and erase them after a few minutes...)
you go through all the server variables that can give clue as to the ip of the client (in case of proxies) and refuse of course any local adress.
in this case a limited number of proxies may not let the user through but they are very seldom. i assume you coul'd ask that few users to logon manually as most of them hide themselves on purpoise and will be used to such things.
would this be enough for your site ? of couse you can only protect directories but all the files in each specific directory could be accessed all the same.
allow from $remote_ip
deny from all
your php page changes the htacces dynamically (ie u must log the date and time each ip was added and erase them after a few minutes...)
you go through all the server variables that can give clue as to the ip of the client (in case of proxies) and refuse of course any local adress.
in this case a limited number of proxies may not let the user through but they are very seldom. i assume you coul'd ask that few users to logon manually as most of them hide themselves on purpoise and will be used to such things.
would this be enough for your site ? of couse you can only protect directories but all the files in each specific directory could be accessed all the same.
ASKER
That sounds good skullnobrains.
I'll give 125 points if you give me a short advice how the .htaccess file should look like.
I think that I can do a php with cookies for writing the .htaccess site.
j79
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
by the way, if you want a script that pulls out the passwords from the db and creates an htpassword accordingly, this is fairly easy but then you will want the htpassword to be updates automatically which is more painfull...but we got to be a little masochist to like them programs, dont we ?
ASKER
Thank you skullnobrains,
I made a htaccess like:
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
without <LIMIT ...> and it seems to work very well.
The htaccess is now being updated from a database with IP's of current valid sessions.
Thank you for your help
j79
cool if you found out and sorry this did not come up sooner
i guess when you say 'like' u adapted to your needs if it works
... and i dunno what the hell the '<limit>' thing is usefull here
i guess when you say 'like' u adapted to your needs if it works
... and i dunno what the hell the '<limit>' thing is usefull here
ASKER
I think it's something to limit the GET-size of the file/site.
Don't also know it :)
Thanx again
j79
http://web.nwe.ufl.edu/writing/help/web/authoring/apache/limit.html
if u're interested, the limit directive is explained here and the rest of the site is good info on apache (quick reference for simple tasks)
if u're interested, the limit directive is explained here and the rest of the site is good info on apache (quick reference for simple tasks)
... the point is is that usefull ? u could much more easily add a security of your own on the pages you are willing to protect.
a simple line such as if authorization=1 would probably do the trick allright as long as you don't accept includes
follows part of my own security, which will accept the inclusion of 'connect.php', and only that one.
if(!$INCLUDES=get_included
beware that some versions will stick in the $INCLUDES table the page itself so u may need to adapt.
u will also need to check if the posting has been hacked but this is fairly easy using a simple self-made coding function.
mine takes any 4 digits and returns a number between 1 and 100 wich is completely unliked to the original (ie 1547 may return 21 and 1548 may return 85... see what i mean ?)
the reason for this is that most of the would-be hackers know how to hack a htaccess and i guess this is one of the unusual occasions where security-through-obfuscati