Solved

user authentication

Posted on 2006-06-09
11
348 Views
Last Modified: 2008-01-09
Hi!
i am trying to restrict users from accessing any file( code, images, zip or flash). i cannot place the protected directory out side server's path. i am using Apache HTTP server authentication, since there is no other way. now i want to use my own form, not the dialog box provided by web server. i can use javascript to do all the communication using XMLHttpRequest object. but the problem is that in order to execute this javascript, this page should be executed first, but that web server login dialog box apears even before this page can execute.
the other problem, if i disable web server authentication, then i can only protect php files not the images, zip files or any other type of file from the users. they can download them by directly giving the url of say zip file.
any idea, what should i do ??
0
Comment
Question by:SadafRasheed
11 Comments
 
LVL 16

Assisted Solution

by:dr_dedo
dr_dedo earned 50 total points
ID: 16869812
you can prevent hotlinking to your files, it is a common procedure with images but i don't see what makes it not work with zips and sqw as well, have a look on that tutorial and see if you can implement it in your site
http://underscorebleach.net/jotsheet/2004/11/stop-image-hotlinking-tutorial-htaccess-apache
0
 
LVL 2

Expert Comment

by:randy_stuart
ID: 16870498
I am not sure that I fully understand what you are trying to do, but Javascript is not the way to provide security since it is client side.  Meaning that the client can view all of your code used to create the security and can then hack it more easily.

If you don't want anyone to see what is in a certain folder then turn off the permissions on that folder.

If you want only authenticated users to view files, then use cookies, on each page to check if the user has been authenticated before showing the page, and do what dedo said.
0
 
LVL 4

Author Comment

by:SadafRasheed
ID: 16870550
i think both of u didnt get what i am trying to do :(
actually i want to communicate with the web server authentication dialog box.. is there any way to do that..
if not then is there any way to get the user info that was supplied to that dialog box, in my php file
0
 
LVL 8

Expert Comment

by:Autogard
ID: 16870718
Maybe I don't understand either, but are you saying that apache is serving up another page instead of the page that you want served?  If it is a matter of which precedence to use in displaying pages in a directory then you need to use the "DirectoryIndex" directive:

# Serves index.php by default, then index.html if no index.php (in apache conf file)
DirectoryIndex index.php index.html

Then if I access the directory "www.myhost.com/mydirectory" it will check for index.php first.

Sorry if I don't understand either.
0
 
LVL 4

Author Comment

by:SadafRasheed
ID: 16870833
i think i am unable to explain, what i want :$
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Accepted Solution

by:
alakriti earned 150 total points
ID: 16871021
another solution could be to setup a mod_rewrite rule to direct all views in a particular folder to your PHP script, wich of course could validate their login credentials then. take the information provided by the url and output the header information for the image etc. and use something like readfile() to serve the content to them. this ensures that all hits to the folder pass through your PHP script. even if its an image or zip file etc.
0
 
LVL 4

Author Comment

by:SadafRasheed
ID: 16871725
yes this is what i want.... :)
can u plz guide me further,,
do i mod_rewrite rule in .htaccess file,,,
i want this restriction for one directory (and offcource its sub directories) ,, i hope this wont affect other directories....
0
 
LVL 8

Expert Comment

by:alakriti
ID: 16872008
you can place your rewrite rules in the .htaccess folder it will only effect that directory and subdirectories
0
 
LVL 4

Author Comment

by:SadafRasheed
ID: 16872186
ok,, decided,,, this is what i want,, and i want it badly and urgently,,
i just studied mod_rewrite
it uses regular expressions,, i tries one or twice but failed to learn regular expression and am sure can learn in whatever time i have now,, so can u plz guide me what should i write in .htaccess file if i want users trying to access any file or directory under
http://www.abcdef.com/Members/
to be redirected to
http://www.abcdef.com/membership/index.php?cmd=login

and how will i get the actual url that the user typed in...

thanks that is really helpin a lot
0
 
LVL 4

Author Comment

by:SadafRasheed
ID: 16872351

RewriteEngine on
RewriteRule ^([^/\.]+)/$  /membership/index.php?url=$1

should i write this??
0
 
LVL 4

Author Comment

by:SadafRasheed
ID: 16873394
i wrote the lines below in .htaccess file and uploaded it to the parent directory of "members" and it worked,, it redirected me to login page,, even when i typed the url of an imge :) :)

RewriteEngine on
RewriteRule ^members(.*) /membership/index.php?cmd=login&url=$1


thanks every one for your help :)


0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now