Authenticate user after removing htaccess HTTP AUTH

Hi,
Earlier we have HTTP authentication using htaccess to access web pages which includes dynamic PHP pages as well as HTML static pages. So whenever we have to access the dynamic pages and/or Static pages user has to enter his credentials.

But now to integrate with other application we removed this authentication. So i kept one login page whch accepts user credentials. I have used htaccess directive

php_value auto_prepend_file C:/xampp/htdocs/login.php,

which is called at start for each request. This file checks for logged in session value if it set to true then it is allowing to access other pages otherwise login page appears.

The home page is divided in two columns both of having frames inside it. Left frame holds navigational menus, which when clicked refreshes right frame with clicked one without refreshing entire page. The page which appears on right frame is from directory holding HTML static pages.

Now the problem is that when user tries to access dynamic pages like index.php and if session doesn't exist then it asks for login (as we have mentioned in htaccess to append login.php file at every request), but when session doesn't exist then the left-right frame navigation works without asking for login.

It seems that for accessing static html pages using frames above htaccess rule doesn't work.

Can anyone tell me whats the problem is or any other better alternate solution?
teenashahAsked:
Who is Participating?
 
Chris GralikeSpecialistCommented:
I think you need to use a fysical folder structure to distinguish protected and non-protected content. i.e.

/protected/
/
/others/

Also you can use the "include"  as an alternative to header(location).

You can also use header(location) if prepended file knows how to handle it, i.e.

In this example i assume that all the unprotected content is within a folder, but you can also turn this arround. I.e. Put all the protected content in a folder.

if(!strstr($_SERVER['REQUEST_URI'] == '/unprotected/')){
                   // Do all the authentication stuf
                   
                    if(!$auth){
                              // And because login.php is located inside the /unprotected folder
                              // the auth prepend is ignored because of the first if condition.
                              header('location:/unprotected/login.php');
                    }
}
                 
               
0
 
teenashahAuthor Commented:
Hi

Above issue has been partially resolved by adding one more directive to htaccess i.e.

AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php

This resolved earlier issue that it is not asking login for static html pages. But now when there is no logged in session value, then it displays login form inside column 2 frame of the page. When user enters valid user credentials then it again displays 2 column layout index page inside column 2 and this goes on.

Any solution?
0
 
Chris GralikeSpecialistCommented:
If the user hasnt loged in, what should happen?
Whats the Technical Design that the application should follow?
If the user is visiting the default location, is the login required?




0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Chris GralikeSpecialistCommented:
In any account, you could write your own handler this way catching all requests to the server, validate and serve them based on xx condition. Here is just a simple example.


<?php
 
$protected = array('/test.php','/index.php');
 
$req =  $_SERVER['REQUEST_URI'];
if(in_array($req, $protected)){
        session_start();
        if(!isset($_SESSION)){
                echo "File is protected!\r\n";
        }else{
                // handle Login //
               if(is_file($req)){
                        // bla handle the file see below... //
                }
        }
}else{
        if(is_file($req)){
                if($fp = fopen($req, 'r')){
                        $cont = fread($fp, filesize($req));
                        print_r($cont);
                }else{
                        echo "File not found, sorry! \r\n";
                        exit;
                }
        }else{
                echo "File not found, sorry! \r\n";
        }
}
?>

Open in new window

0
 
teenashahAuthor Commented:
Hi Chris_Gralike:,

If user is not logged in then login page has to be display to the user. for which i have written htaccess directive

AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php

Inside login.php page i am including code spec i am checking simple SESSION value say logged_in. If it not set to true then using include function i am displaying login form. Which when submitted validates against Db and outputs tru/false value and sets the session value logged_in accordingly. I am using following code spec in login.php file:


$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated();
if (!$is_auth)
{
     include_once("C:/xampp/htdocs/loginform.php");
     exit;
}
If above code spec returns false then only we'll display login form otherwise requested page will be displayed.
0
 
Chris GralikeSpecialistCommented:
This should work as designed, i am assuming that the class Authentication is using the session_start() and $_SESSION vars to track the session a user has?

Im not sure how loginform.php is handled. But you could go about it like this.

Just check the session_var (dont load the entire class if it isnt needed)
If not set? Then redirect to the loginpage, set the request as a session var.
 

\\login.php
<?php
session_start();
if(!isset($_SESSION['logged_in'])){
     $_SESSION['REQUEST_URI'] = $_SERVER['REQST_URI'];
     header('location:loginform.php');
}
?>
 
\\Loginform.php
<?php
\\ Start a session
session_start();
 
\\ Do all the loginstuff
\\ If success then dont output anything just redirect to the saved uri.
$_SESSION['logged_in'] = true;
header('location:'.$_SESSION['REQST_URI'];);
?>

Open in new window

0
 
Chris GralikeSpecialistCommented:
Typo:


 $_SESSION['REQUEST_URI'] = $_SERVER['REQST_URI'];
 
\\ Should be
 
 $_SESSION['REQST_URI'] = $_SERVER['REQUEST_URI'];

Open in new window

0
 
Chris GralikeSpecialistCommented:
This is how it works for me... (this is a very basic example)

Just have a look at the Files, prepend.php is prepended in the php.ini




//prepend.php
<?php
session_start();
if(!isset($_SESSION['logged_in'])){
        if(!isset($_SESSION['RQST_URI'])){
                $_SESSION['RQST_URI'] = $_SERVER['REQUEST_URI'];
        }
        chdir('/');
        include('login.php');
        exit;
}
?>
// the included login.php
<?php
if(isset($_POST['submit'])){
        // My login procedure //
        if(trim($_POST['passwd']) == 'password'){
                $_SESSION['logged_in'] = true;
                header('location:'.$_SESSION['RQST_URI']);
        }
}
// Show some basic login form //
print('
<form action="'.$_SERVER['PHP_SELF'].'" method="POST">
     <label>Your passwd please</lable>
     <input type="text" name="passwd" value="" />
     <input type="submit" name="submit" />
</form>
');
?>

Open in new window

0
 
teenashahAuthor Commented:
Hi Chris_Gralike,

Thanks for code and explanation. But thing is that authentication code spec is working fine for me.
The problem is the way I have implemented. Using htaccess i prepended login.php for each any every call.

AddType application/x-httpd-php .html .htm
php_value auto_prepend_file C:/xampp/htdocs/login.php

Suppose i am calling Index.php. As htaccess redirective login.php is called where initially there won't be session logged_in. So i have to include loginform.php using above code spec.

$objAuth = new Authentication();
$is_auth = $objAuth->is_authenticated();
if (!$is_auth)
{
     include_once("C:/xampp/htdocs/loginform.php");
     exit;
}

i cant use header('location:loginform.php'); since then it goes in infinite loop because htaccess will again call login.php and login.php will call login form. Never ending loop. So using include_once

This is the first problem.

Next problem is after successful login index page shows two column layout page. Each column hold frames embedded inside it. Left frame holds navigational menu which when clicked displays content of link at right frame i.e. in second column.

When the session expires and if suppose any navigational link is clicked, due to include_once the login form is displayed inside the second frame. When user enters valid credentials again index page (with 2 column layout) is displayed in right frame. Now we have two index pages one the main page and the second one inside right frame.

How can i resolve this issue?



0
 
teenashahAuthor Commented:
Hi Chris_Gralike,

I can't prepend prepend.php in php.ini since i want to authenticate for specific folder only not all folder structure. For e.g My folder structure is: inside www root folder i have admin,phpmyadmin,products three folders. Out of which i have to authenticate products  folder only. So i used htaccess prepend directive.
0
 
Chris GralikeSpecialistCommented:
Any updates on this issue?

Rgrds,
Chris
0
 
Chris GralikeSpecialistCommented:
I think the solution might be correct in this very very specific situation.

But on the other hand will only confuse people that want to replace http authentication with PHP scripting.

So I recommend this one to be closed / deleted with possibly a refund.

Rgrds, Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.