• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 736
  • Last Modified:

PHP Upload Script conflicts wtih HTPASSWD

Hi All,

I'm using a free PHP Upload script found here: http://clement.beffa.org/labs/projects/w2box/

It's just what my client needs for their website.  I've got everything working as planned, however, it appears that the administrative login function in the PHP script conflicts with my HTACCESS password protected directory.  Very simply, the script resides in the folder that is protected.  Its an upload function that is privy to clients only, not the public.  When you are prompted by HTACCESS on page load, the username and password that exists in .htpasswd works like a charm.  However, when you try to login to the administrative section of the script, it fails.  I think this is happening because the script is using HTTP authentication which conflicts.

Any help is greatly appreciated.
Here's the code from the config.php script:
$config['admin_actived'] = true;
$config['admin_username'] = "username";
$config['admin_password'] = "password";
Here's the code from my index.php page:
$auth = !$config['admin_actived'];
authorize(true); //silent authorize first
if (isset($_GET["admin"])) {
	Header("Location: ".rooturl());
Here's the code from my .htaccess:
AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require valid-user
RewriteEngine on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ([^\s]+).php$ $1.php?BAD_HOSTING=%{HTTP:Authorization}
RewriteCond %{QUERY_STRING} ^(.+)$
RewriteRule ([^\s]+).php $1.php?%1&BAD_HOSTING=%{HTTP:Authorization}

Open in new window

1 Solution
> I think this is happening because the script is using HTTP authentication which conflicts.

Yes, you can't use two HTTP authentication layers at the same time. If you're authenticated in /foo via .htaccess, you're not authenticated in your php script, if you're now authenticated in/for your php script, you're not authenticated for the webserver (.htaccess); this process loops.

Possible "solution": Don't use HTTP auth for your php script (may be in favor of a login form which checks the supplied username/password and uses a session to store the login).
pmagonyAuthor Commented:
Thank you for your response.  Here's what I ended up doing... I ended up making sure that the HTTP auth user/pass in the PHP script matched the user/pass for "administrator" in my htaccess/htpasswd files.  This way, when I login on the first layer, it automatically authenticates me with the script.

All other user/pass combos are not admin so it works out perfectly.

I'm going to credit you the points for setting my marbles back in order.

Thanks bud!

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now