teenashah
asked on
Authenticate user after removing htaccess HTTP AUTH
Hi,
Earlier we have HTTP authentication using htaccess to access web pages which includes dynamic PHP pages as well as HTML static pages. So whenever we have to access the dynamic pages and/or Static pages user has to enter his credentials.
But now to integrate with other application we removed this authentication. So i kept one login page whch accepts user credentials. I have used htaccess directive
php_value auto_prepend_file C:/xampp/htdocs/login.php,
which is called at start for each request. This file checks for logged in session value if it set to true then it is allowing to access other pages otherwise login page appears.
The home page is divided in two columns both of having frames inside it. Left frame holds navigational menus, which when clicked refreshes right frame with clicked one without refreshing entire page. The page which appears on right frame is from directory holding HTML static pages.
Now the problem is that when user tries to access dynamic pages like index.php and if session doesn't exist then it asks for login (as we have mentioned in htaccess to append login.php file at every request), but when session doesn't exist then the left-right frame navigation works without asking for login.
It seems that for accessing static html pages using frames above htaccess rule doesn't work.
Can anyone tell me whats the problem is or any other better alternate solution?
Earlier we have HTTP authentication using htaccess to access web pages which includes dynamic PHP pages as well as HTML static pages. So whenever we have to access the dynamic pages and/or Static pages user has to enter his credentials.
But now to integrate with other application we removed this authentication. So i kept one login page whch accepts user credentials. I have used htaccess directive
php_value auto_prepend_file C:/xampp/htdocs/login.php,
which is called at start for each request. This file checks for logged in session value if it set to true then it is allowing to access other pages otherwise login page appears.
The home page is divided in two columns both of having frames inside it. Left frame holds navigational menus, which when clicked refreshes right frame with clicked one without refreshing entire page. The page which appears on right frame is from directory holding HTML static pages.
Now the problem is that when user tries to access dynamic pages like index.php and if session doesn't exist then it asks for login (as we have mentioned in htaccess to append login.php file at every request), but when session doesn't exist then the left-right frame navigation works without asking for login.
It seems that for accessing static html pages using frames above htaccess rule doesn't work.
Can anyone tell me whats the problem is or any other better alternate solution?
If the user hasnt loged in, what should happen?
Whats the Technical Design that the application should follow?
If the user is visiting the default location, is the login required?
Whats the Technical Design that the application should follow?
If the user is visiting the default location, is the login required?
In any account, you could write your own handler this way catching all requests to the server, validate and serve them based on xx condition. Here is just a simple example.
<?php
$protected = array('/test.php','/index.php');
$req = $_SERVER['REQUEST_URI'];
if(in_array($req, $protected)){
session_start();
if(!isset($_SESSION)){
echo "File is protected!\r\n";
}else{
// handle Login //
if(is_file($req)){
// bla handle the file see below... //
}
}
}else{
if(is_file($req)){
if($fp = fopen($req, 'r')){
$cont = fread($fp, filesize($req));
print_r($cont);
}else{
echo "File not found, sorry! \r\n";
exit;
}
}else{
echo "File not found, sorry! \r\n";
}
}
?>ASKER
Hi Chris_Gralike:,
If user is not logged in then login page has to be display to the user. for which i have written htaccess directive
AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php
Inside login.php page i am including code spec i am checking simple SESSION value say logged_in. If it not set to true then using include function i am displaying login form. Which when submitted validates against Db and outputs tru/false value and sets the session value logged_in accordingly. I am using following code spec in login.php file:
$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated
if (!$is_auth)
{
include_once("C:/xampp/htd
exit;
}
If above code spec returns false then only we'll display login form otherwise requested page will be displayed.
If user is not logged in then login page has to be display to the user. for which i have written htaccess directive
AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php
Inside login.php page i am including code spec i am checking simple SESSION value say logged_in. If it not set to true then using include function i am displaying login form. Which when submitted validates against Db and outputs tru/false value and sets the session value logged_in accordingly. I am using following code spec in login.php file:
$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated
if (!$is_auth)
{
include_once("C:/xampp/htd
exit;
}
If above code spec returns false then only we'll display login form otherwise requested page will be displayed.
This should work as designed, i am assuming that the class Authentication is using the session_start() and $_SESSION vars to track the session a user has?
Im not sure how loginform.php is handled. But you could go about it like this.
Just check the session_var (dont load the entire class if it isnt needed)
If not set? Then redirect to the loginpage, set the request as a session var.
Im not sure how loginform.php is handled. But you could go about it like this.
Just check the session_var (dont load the entire class if it isnt needed)
If not set? Then redirect to the loginpage, set the request as a session var.
\\login.php
<?php
session_start();
if(!isset($_SESSION['logged_in'])){
$_SESSION['REQUEST_URI'] = $_SERVER['REQST_URI'];
header('location:loginform.php');
}
?>
\\Loginform.php
<?php
\\ Start a session
session_start();
\\ Do all the loginstuff
\\ If success then dont output anything just redirect to the saved uri.
$_SESSION['logged_in'] = true;
header('location:'.$_SESSION['REQST_URI'];);
?>
Typo:
$_SESSION['REQUEST_URI'] = $_SERVER['REQST_URI'];
\\ Should be
$_SESSION['REQST_URI'] = $_SERVER['REQUEST_URI'];
This is how it works for me... (this is a very basic example)
Just have a look at the Files, prepend.php is prepended in the php.ini
Just have a look at the Files, prepend.php is prepended in the php.ini
//prepend.php
<?php
session_start();
if(!isset($_SESSION['logged_in'])){
if(!isset($_SESSION['RQST_URI'])){
$_SESSION['RQST_URI'] = $_SERVER['REQUEST_URI'];
}
chdir('/');
include('login.php');
exit;
}
?>
// the included login.php
<?php
if(isset($_POST['submit'])){
// My login procedure //
if(trim($_POST['passwd']) == 'password'){
$_SESSION['logged_in'] = true;
header('location:'.$_SESSION['RQST_URI']);
}
}
// Show some basic login form //
print('
<form action="'.$_SERVER['PHP_SELF'].'" method="POST">
<label>Your passwd please</lable>
<input type="text" name="passwd" value="" />
<input type="submit" name="submit" />
</form>
');
?>ASKER
Hi Chris_Gralike,
Thanks for code and explanation. But thing is that authentication code spec is working fine for me.
The problem is the way I have implemented. Using htaccess i prepended login.php for each any every call.
AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php
Suppose i am calling Index.php. As htaccess redirective login.php is called where initially there won't be session logged_in. So i have to include loginform.php using above code spec.
$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated
if (!$is_auth)
{
include_once("C:/xampp/htd
exit;
}
i cant use header('location:loginform
This is the first problem.
Next problem is after successful login index page shows two column layout page. Each column hold frames embedded inside it. Left frame holds navigational menu which when clicked displays content of link at right frame i.e. in second column.
When the session expires and if suppose any navigational link is clicked, due to include_once the login form is displayed inside the second frame. When user enters valid credentials again index page (with 2 column layout) is displayed in right frame. Now we have two index pages one the main page and the second one inside right frame.
How can i resolve this issue?
Thanks for code and explanation. But thing is that authentication code spec is working fine for me.
The problem is the way I have implemented. Using htaccess i prepended login.php for each any every call.
AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php
Suppose i am calling Index.php. As htaccess redirective login.php is called where initially there won't be session logged_in. So i have to include loginform.php using above code spec.
$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated
if (!$is_auth)
{
include_once("C:/xampp/htd
exit;
}
i cant use header('location:loginform
This is the first problem.
Next problem is after successful login index page shows two column layout page. Each column hold frames embedded inside it. Left frame holds navigational menu which when clicked displays content of link at right frame i.e. in second column.
When the session expires and if suppose any navigational link is clicked, due to include_once the login form is displayed inside the second frame. When user enters valid credentials again index page (with 2 column layout) is displayed in right frame. Now we have two index pages one the main page and the second one inside right frame.
How can i resolve this issue?
ASKER
Hi Chris_Gralike,
I can't prepend prepend.php in php.ini since i want to authenticate for specific folder only not all folder structure. For e.g My folder structure is: inside www root folder i have admin,phpmyadmin,products three folders. Out of which i have to authenticate products folder only. So i used htaccess prepend directive.
I can't prepend prepend.php in php.ini since i want to authenticate for specific folder only not all folder structure. For e.g My folder structure is: inside www root folder i have admin,phpmyadmin,products three folders. Out of which i have to authenticate products folder only. So i used htaccess prepend directive.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Any updates on this issue?
Rgrds,
Chris
Rgrds,
Chris
I think the solution might be correct in this very very specific situation.
But on the other hand will only confuse people that want to replace http authentication with PHP scripting.
So I recommend this one to be closed / deleted with possibly a refund.
Rgrds, Chris
But on the other hand will only confuse people that want to replace http authentication with PHP scripting.
So I recommend this one to be closed / deleted with possibly a refund.
Rgrds, Chris
ASKER
Above issue has been partially resolved by adding one more directive to htaccess i.e.
AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php
This resolved earlier issue that it is not asking login for static html pages. But now when there is no logged in session value, then it displays login form inside column 2 frame of the page. When user enters valid user credentials then it again displays 2 column layout index page inside column 2 and this goes on.
Any solution?