We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


POST .htpasswd using php variables!

j79 asked
Medium Priority
Last Modified: 2008-02-01


I have a database where users can login with php/mysql and what I want to do now is to create a protected directory on an extern server with .htaccess/.htpasswd but I don't want to create now every user again and put them into the .htpasswd file.
Is it possible to realize this intention using a php page with redirection to this domain/directory in which a "global" user/password is set as variable and automatically has access to the protected directory?

I tried it with:
$PHP_AUTH_USER = "myuser";
$PHP_AUTH_PW = "mypassword";
$_SERVER['PHP_AUTH_USER'] = "myuser";
$_SERVER['PHP_AUTH_USER'] = ",mypassword";

but without any success, after redirection the HTTP-AUTH window is poping up askind the username/password.

Watch Question


it's hard to realize but yes you could, though i could hardly point the how-to.
... the point is is that usefull ? u could much more easily add a security of your own on the pages you are willing to protect.

a simple line such as if authorization=1 would probably do the trick allright as long as you don't accept includes

follows part of my own security, which will accept the inclusion of 'connect.php', and only that one.

if(!$INCLUDES=get_included_files()+ get_required_files() or substr($INCLUDES[0],-11)!="connect.php" or count($INCLUDES)!=1)){

beware that some versions will stick in the $INCLUDES table the page itself so u may need to adapt.

u will also need to check if the posting has been hacked but this is fairly easy using a simple self-made coding function.
mine takes any 4 digits and returns a number between 1 and 100 wich is completely unliked to the original (ie 1547 may return 21 and 1548 may return 85... see what i mean ?)

the reason for this is that most of the would-be hackers know how to hack a htaccess and i guess this is one of the unusual occasions where security-through-obfuscation is usefull and efficient if you take care.



Hello skullnobrains,

thank you for the answer.
What about files like mp3/jpg/gif in this directory? They aren't prevented from outside access if I don't set a password protected directory!


if you need to protect such things, yes you may need to automate login through htaccesses
using cookies, try : http://www.raburton.lunarpages.com/apache/mod_auth_cookie/
using headers, refer to the rfc 2617 (following is an extract, most lines could probably be skipped)
3.2.2 The Authorization Request Header

   The client is expected to retry the request, passing an Authorization
   header line, which is defined according to the framework above,
   utilized as follows.

       credentials      = "Digest" digest-response
       digest-response  = 1#( username | realm | nonce | digest-uri
                       | response | [ algorithm ] | [cnonce] |
                       [opaque] | [message-qop] |
                           [nonce-count]  | [auth-param] )

       username         = "username" "=" username-value
       username-value   = quoted-string
       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1
       message-qop      = "qop" "=" qop-value
       cnonce           = "cnonce" "=" cnonce-value
       cnonce-value     = nonce-value
       nonce-count      = "nc" "=" nc-value
       nc-value         = 8LHEX
       response         = "response" "=" request-digest
       request-digest = <"> 32LHEX <">
       LHEX             =  "0" | "1" | "2" | "3" |
                           "4" | "5" | "6" | "7" |
                           "8" | "9" | "a" | "b" |
                           "c" | "d" | "e" | "f"


the other solution (much more sure but slightly slower) is to store the files out of the apache web directory and use php to directly handle the file either through streaming or storing in temporate files (using changing names will prevent multiple downloads).

please beware that if u use authentication through htaccess and headers, you probably will want to create session-based passwords dynamically (which is the easy part) as the user will be able to retrieve them from the browser history.

i would need to know a bit more on your goals to try and make a resonnable and more deeply precise suggestion.

actually i just came accross something simpler :

allow from $remote_ip
deny from all

your php page changes the htacces dynamically (ie u must log the date and time each ip was added and erase them after a few minutes...)

you go through all the server variables that can give clue as to the ip of the client (in case of proxies) and refuse of course any local adress.

in this case a limited number of proxies may not let the user through but they are very seldom. i assume you coul'd ask that few users to logon manually as most of them hide themselves on purpoise and will be used to such things.

would this be enough for your site ? of couse you can only protect directories but all the files in each specific directory could be accessed all the same.



That sounds good skullnobrains.
I'll give 125 points if you give me a short advice how the .htaccess file should look like.
I think that I can do a php with cookies for writing the .htaccess site.

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

by the way, if you want a script that pulls out the passwords from the db and creates an htpassword accordingly, this is fairly easy but then you will want the htpassword to be updates automatically which is more painfull...but we got to be a little masochist to like them programs, dont we ?



Thank you skullnobrains,

I made a htaccess like:

deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net

without <LIMIT ...> and it seems to work very well.
The htaccess is now being updated from a database with IP's of current valid sessions.

Thank you for your help


cool if you found out and sorry this did not come up sooner
i guess when you say 'like' u adapted to your needs if it works
... and i dunno what the hell the '<limit>' thing is usefull here



I think it's something to limit the GET-size of the file/site.

Don't also know it :)

Thanx again

if u're interested, the limit directive is explained here and the rest of the site is good info on apache (quick reference for simple tasks)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.