Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Authenticate user after removing htaccess HTTP AUTH

Posted on 2009-04-20
15
Medium Priority
?
585 Views
Last Modified: 2013-12-13
Hi,
Earlier we have HTTP authentication using htaccess to access web pages which includes dynamic PHP pages as well as HTML static pages. So whenever we have to access the dynamic pages and/or Static pages user has to enter his credentials.

But now to integrate with other application we removed this authentication. So i kept one login page whch accepts user credentials. I have used htaccess directive

php_value auto_prepend_file C:/xampp/htdocs/login.php,

which is called at start for each request. This file checks for logged in session value if it set to true then it is allowing to access other pages otherwise login page appears.

The home page is divided in two columns both of having frames inside it. Left frame holds navigational menus, which when clicked refreshes right frame with clicked one without refreshing entire page. The page which appears on right frame is from directory holding HTML static pages.

Now the problem is that when user tries to access dynamic pages like index.php and if session doesn't exist then it asks for login (as we have mentioned in htaccess to append login.php file at every request), but when session doesn't exist then the left-right frame navigation works without asking for login.

It seems that for accessing static html pages using frames above htaccess rule doesn't work.

Can anyone tell me whats the problem is or any other better alternate solution?
0
Comment
Question by:teenashah
  • 8
  • 4
12 Comments
 

Author Comment

by:teenashah
ID: 24183738
Hi

Above issue has been partially resolved by adding one more directive to htaccess i.e.

AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php

This resolved earlier issue that it is not asking login for static html pages. But now when there is no logged in session value, then it displays login form inside column 2 frame of the page. When user enters valid user credentials then it again displays 2 column layout index page inside column 2 and this goes on.

Any solution?
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24183859
If the user hasnt loged in, what should happen?
Whats the Technical Design that the application should follow?
If the user is visiting the default location, is the login required?




0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24183952
In any account, you could write your own handler this way catching all requests to the server, validate and serve them based on xx condition. Here is just a simple example.


<?php
 
$protected = array('/test.php','/index.php');
 
$req =  $_SERVER['REQUEST_URI'];
if(in_array($req, $protected)){
        session_start();
        if(!isset($_SESSION)){
                echo "File is protected!\r\n";
        }else{
                // handle Login //
               if(is_file($req)){
                        // bla handle the file see below... //
                }
        }
}else{
        if(is_file($req)){
                if($fp = fopen($req, 'r')){
                        $cont = fread($fp, filesize($req));
                        print_r($cont);
                }else{
                        echo "File not found, sorry! \r\n";
                        exit;
                }
        }else{
                echo "File not found, sorry! \r\n";
        }
}
?>

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:teenashah
ID: 24184316
Hi Chris_Gralike:,

If user is not logged in then login page has to be display to the user. for which i have written htaccess directive

AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php

Inside login.php page i am including code spec i am checking simple SESSION value say logged_in. If it not set to true then using include function i am displaying login form. Which when submitted validates against Db and outputs tru/false value and sets the session value logged_in accordingly. I am using following code spec in login.php file:


$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated();
if (!$is_auth)
{
     include_once("C:/xampp/htdocs/loginform.php");
     exit;
}
If above code spec returns false then only we'll display login form otherwise requested page will be displayed.
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24184512
This should work as designed, i am assuming that the class Authentication is using the session_start() and $_SESSION vars to track the session a user has?

Im not sure how loginform.php is handled. But you could go about it like this.

Just check the session_var (dont load the entire class if it isnt needed)
If not set? Then redirect to the loginpage, set the request as a session var.
 

\\login.php
<?php
session_start();
if(!isset($_SESSION['logged_in'])){
     $_SESSION['REQUEST_URI'] = $_SERVER['REQST_URI'];
     header('location:loginform.php');
}
?>
 
\\Loginform.php
<?php
\\ Start a session
session_start();
 
\\ Do all the loginstuff
\\ If success then dont output anything just redirect to the saved uri.
$_SESSION['logged_in'] = true;
header('location:'.$_SESSION['REQST_URI'];);
?>

Open in new window

0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24184535
Typo:


 $_SESSION['REQUEST_URI'] = $_SERVER['REQST_URI'];
 
\\ Should be
 
 $_SESSION['REQST_URI'] = $_SERVER['REQUEST_URI'];

Open in new window

0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24185327
This is how it works for me... (this is a very basic example)

Just have a look at the Files, prepend.php is prepended in the php.ini




//prepend.php
<?php
session_start();
if(!isset($_SESSION['logged_in'])){
        if(!isset($_SESSION['RQST_URI'])){
                $_SESSION['RQST_URI'] = $_SERVER['REQUEST_URI'];
        }
        chdir('/');
        include('login.php');
        exit;
}
?>
// the included login.php
<?php
if(isset($_POST['submit'])){
        // My login procedure //
        if(trim($_POST['passwd']) == 'password'){
                $_SESSION['logged_in'] = true;
                header('location:'.$_SESSION['RQST_URI']);
        }
}
// Show some basic login form //
print('
<form action="'.$_SERVER['PHP_SELF'].'" method="POST">
     <label>Your passwd please</lable>
     <input type="text" name="passwd" value="" />
     <input type="submit" name="submit" />
</form>
');
?>

Open in new window

0
 

Author Comment

by:teenashah
ID: 24190963
Hi Chris_Gralike,

Thanks for code and explanation. But thing is that authentication code spec is working fine for me.
The problem is the way I have implemented. Using htaccess i prepended login.php for each any every call.

AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php

Suppose i am calling Index.php. As htaccess redirective login.php is called where initially there won't be session logged_in. So i have to include loginform.php using above code spec.

$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated();
if (!$is_auth)
{
     include_once("C:/xampp/htdocs/loginform.php");
     exit;
}

i cant use header('location:loginform.php'); since then it goes in infinite loop because htaccess will again call login.php and login.php will call login form. Never ending loop. So using include_once

This is the first problem.

Next problem is after successful login index page shows two column layout page. Each column hold frames embedded inside it. Left frame holds navigational menu which when clicked displays content of link at right frame i.e. in second column.

When the session expires and if suppose any navigational link is clicked, due to include_once the login form is displayed inside the second frame. When user enters valid credentials again index page (with 2 column layout) is displayed in right frame. Now we have two index pages one the main page and the second one inside right frame.

How can i resolve this issue?



0
 

Author Comment

by:teenashah
ID: 24190992
Hi Chris_Gralike,

I can't prepend prepend.php in php.ini since i want to authenticate for specific folder only not all folder structure. For e.g My folder structure is: inside www root folder i have admin,phpmyadmin,products three folders. Out of which i have to authenticate products  folder only. So i used htaccess prepend directive.
0
 
LVL 11

Accepted Solution

by:
Chris Gralike earned 2000 total points
ID: 24192020
I think you need to use a fysical folder structure to distinguish protected and non-protected content. i.e.

/protected/
/
/others/

Also you can use the "include"  as an alternative to header(location).

You can also use header(location) if prepended file knows how to handle it, i.e.

In this example i assume that all the unprotected content is within a folder, but you can also turn this arround. I.e. Put all the protected content in a folder.

if(!strstr($_SERVER['REQUEST_URI'] == '/unprotected/')){
                   // Do all the authentication stuf
                   
                    if(!$auth){
                              // And because login.php is located inside the /unprotected folder
                              // the auth prepend is ignored because of the first if condition.
                              header('location:/unprotected/login.php');
                    }
}
                 
               
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24241143
Any updates on this issue?

Rgrds,
Chris
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 24420473
I think the solution might be correct in this very very specific situation.

But on the other hand will only confuse people that want to replace http authentication with PHP scripting.

So I recommend this one to be closed / deleted with possibly a refund.

Rgrds, Chris
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses
Course of the Month20 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question