Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

How to redirect to an htaccess protected folder without generating the prompt to sign in....

Say you have a website, some of it open to the public, some open to members only… the member’s only section is protected with an htaccess defined user… but,  you don’t want to have to set up all the members individually through that file… so, you create a form, get the user to enter a user id and password, bring that into a PHP script, query your MySQL Database, compare that to what’s on file for that user…. and then, if matched, redirect them to the page that is in the htaccess protected section of the site…. however, you don’t want HTTP to prompt them to enter the user id as defined in the htaccess file… you want to pass that along in the redirect…..


So, a normal redirect would look like:

    header("Location: http://www.mysite.org/member/");

OR

    header("Location: http://www.mysite.org/member/index.htm");

 

Both of those invoke the HTTP Prompt.

 

I’ve tried something like this:

     header("Location: http://MYUSER:MYPASSWORD@mysite.org/member/");

OR

     header("Location: http://MYUSER:MYPASSWORD@www.mysite.org/member/");

 

Where MYUSER is the user defined in the htaccess file and MYPASSWORD the password, but get an invalid URL message if I'm using IE.  I understand that this syntax would work with Mozilla or other browsers... but I need a solution that will work for all browsers.

 
I’ve also tried this, but it doesn’t seem to do anything (still get HTTP Prompt)

    $_SERVER['PHP_AUTH_USER'] = 'MYUSER';

    $_SERVER['PHP_AUTH_PW']    = 'MYPASSWORD';

    header("Location: http://www.mysite.org/members/");

 
 The member folder is protected by the htaccess stuff.  Basically, I want to provide the userid and password as defined in the htaccess file behind the scenes and do the actual user authentication myself through lookups to our member MySQL database.

I've also tried mod_auth_mysql but our webhost is not set up to allow that kind of authorization.

Any ideas?

 
0
mdougan
Asked:
mdougan
  • 5
  • 4
1 Solution
 
virmaiorCommented:
Check out the solution I just proposed here:

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_21202995.html#12564758

you can wrap the pages and use your own authentication scheme (I know there are better solutions, but if you host doesn't allow those, then something using these tricks should work).
0
 
mdouganAuthor Commented:
It looks interesting, but I'm not sure I'm getting exactly how it works... looks like you've set up the htaccess to fail whenever the user tries to access one of your files (in your case .jpgs, in my case would that be the .html pages?).  Then, that will invoke your finder.php script... looks like your finder.php will then load the file?  I'm not familiar with the command that follows the successful check for if the file exists (sorry, I'd go back to the page to get the exact command you used but don't want to lose what I've typed so far....).

If that is basically how it works, then I suppose that once they get to a protected html page and click a link to another protected html page, that's going to generate another error... so, I'd do my authentication in the finder.php script and perhaps set a session cookie... check the session cookie before prompting the user?
0
 
mdouganAuthor Commented:
OK, I tried to implement this... made the htaccess file like the one you had, except that to find the finder.php file I had to take the slash off the front of the ErrorDocument ... the result was that I got a Forbidden error, and additionally, it told me that I got an internal server error 500 while trying to implement an ErrorDocument or something like that..... any idea what would be going on here?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
virmaiorCommented:

you will need to add an exception to your htaccess:

 <Files finder.php>
allow from all
</Files>

this should make it so that finder is no longer 403'd
0
 
mdouganAuthor Commented:
OK, I had to put the slash back in front of the finder.php... so, now my htaccess file looks like:

Order Allow,Deny
Deny from all

# To allow execution of cgi scripts in this directory uncomment next two lines
#AddHandler cgi-script .bat .exe .pl .cgi
Options -Indexes


ErrorDocument 403 /finder.php

<FilesMatch "\.(gif|png|pdf|jpg|jpeg|swf)$">
Allow from all
</FilesMatch>

<Files finder.php>
allow from all
</Files>

My finder.php file looks like:

<?php
//echo $_SERVER['REQUEST_URI'];
        $file = $_SERVER["DOCUMENT_ROOT"] . $_SERVER["REQUEST_URI"];
        if (file_exists($file))
        {
           if(isset($f_mysite_auth)) {            
              include_once($file);
           }
           else
           {
             include_once("http://www.mysite.org/authentication.html");
             //header("Location: http://www.mysite.org/authentication.html");
             //exit;
           }
             
        }
        else
        {
          include "error.php";
       }


?>

When I try to navigate to :

http://www.mysite.org/member/index.htm

I get a text echo saying something like   "no input file specified"

I'd commented out the echo that you had at the top of the finder.php, but I've also tried it uncommented... never see anything echoed ...

Basically, if an error is generated, I'm hoping that this finder.php will execute... it will look for a cookie value, if the cookie value is not set it will try to redirect to a page that is outside of the member directory which is going to ask the user for a user id and password... that will post to a php script that will authenticate the user and if authenticated, it will write the cookie and then redirect to the /member/index.htm page... which would then generate an error... invoke finder.php... etc... do you see anything else wrong here?
0
 
virmaiorCommented:
it looks right to me...  if you have access to the error logs for your server, see if anything is showing up
also is your finder.php in your directory root?
0
 
mdouganAuthor Commented:
Have access to a file called access-log which seems to show when and what pages are being accessed, but didn't see any of the errors that I'd generated....  I might find them through the normal control panel we use to administer the site...

I put the finder.php in the /member directory which is the protected directory... I assumed that this is where I'd want it?

my authentication.html  and my logon.php files are in the root directory, authentication.html is just a form that posts the users id and password to logon which does the db query, writes the cookie and tries to redirect to  /member/index.htm .....
0
 
virmaiorCommented:
for my site, I keep it in a directory above.  I had the same sort of trouble with htaccess
and 90% of the websites out there that talk about it are either too hard to understand or don't show me how to do anything useful...
0
 
mdouganAuthor Commented:
Hey!  99% success!  I t hink at some point I was copying updates to the finder to the wrong place, as I had copies in both the root and in the member area... still not sure where the right location is, but that will be easy enough to determin... at least now, they're both the latest and greatest...

It all worked as expected.  Sweet...  now, my only problem comes when trying to run a php script that is under my /member/phpMyAdmin folder.... it would be great if I could allow that folder to be controlled by a different htaccess file and not the one in the /member folder, is that possible?  because when I try to navigate to:

http://www.mysite.org/member/phpMyAdmin/

I get this error:

Warning: main(): Unable to access ./libraries/grab_globals.lib.php in /home/www/mysite/member/phpMyAdmin/index.php on line 8

Warning: main(./libraries/grab_globals.lib.php): failed to open stream: No such file or directory in /home/www/mysite/member/phpMyAdmin/index.php on line 8

Thinking that it might be looking for the actual file name I'm trying to run which is index.php I gave it this url:

http://www.mysite.org/member/phpMyAdmin/index.php

And then got this error in addition to the other two:

Fatal error: main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /home/www/mysite/member/phpMyAdmin/index.php on line 8

I'll be accepting your response above as the solution, thanks!

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now