Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    4
    Thanked 4 Times in 4 Posts

    Exclamation PHP Authentication And .htaccess

    Ok so I've done a lot of searching on the web and i've decided to post here as I cannot find a solution to my problem.

    Getting php login authentication information passed on to, and verified by, .htaccess protected directories...

    What I want:

    • Users login through a login page
    • The login page is displayed through Lightview (this is not necessary at the moment)
    • To protect directories of video files with .htaccess files
    • To have the .htaccess file use a mysql database for username and password storage
    • To protect pages with authentication via php
    • To not have the popup window displayed for the .htaccess when accessing files in the protected directories


    Here's what I have so far:

    • I've successfully set up the login-logout system with php
    • Protected individual pages with php authentication using sessions


    Here's my problem:

    I cannot get the two systems to work together. What I want ideally is to have the user login within the login page, and be able to access the content in the .htaccess protected directories without the .htaccess window poping up. In essence I want the user authentication to be gathered in the login page to be passed on to the .htaccess prompt so that it doesn't open and automatically authenticates and allows an authenticated user to access the material.

    Is this even possible? Because both the php and .htaccess authentication systems are now set up to verify username and password combinations against a mysql database, then shouldn't it be possible to have the data from the login screen passed on to the .htaccess authentication? The reason I'm using this method is because I want my video files protected, and the only way I've been able to do that (preventing direct linking to files) is through the use of .htaccess, which I've set up to use the mysql database instead of the annoying, cumbersome, and less secure .htpasswd file. Thank you very much! Any help would be greatly appriciated!
    Last edited by mwgriffin; 05-22-2009 at 02:06 AM.
    MICHAEL GRIFFIN
    MWGRIFFIN.COM

  • #2
    New Coder
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Ok so I found something that might help. I heard that you could store session information in a mysql database. If so, could the .htaccess file be directed to look in the mysql database for the session information? this would fix the issue, if it is possible, as the initial login would store the session information in the mysql database, the .htaccess file would then check the database for session information instead of what it normally does, then if there was no session active it would show the popup box, prompting the user to login. Possible???? Thanks!
    MICHAEL GRIFFIN
    MWGRIFFIN.COM

  • #3
    New Coder
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Ok so I'm going to rephase what I want, simply as this:

    How do I protect files (picutes videos zipped archives) from unauthenticated users viewing or downloading them? I need a security system that stops someone that has a direct link to a file from downloading it or viewing it unless they're authenticated. .htaccess files would work great but I'm having some issues setting them up with a database for password and username reference. That and the fact that I need to have the php sessions be used for the .htaccess files, so that a logged in user isn't prompted by a popup window asking for login information again when accessing a file in a protected directory. Any suggestions?
    MICHAEL GRIFFIN
    MWGRIFFIN.COM

  • #4
    Regular Coder sea4me's Avatar
    Join Date
    Jan 2009
    Location
    Damn, I don't know...
    Posts
    390
    Thanks
    11
    Thanked 28 Times in 27 Posts
    Place an .htaccess file in www.domain.com/downloads, and put this in it:

    <files *>
    Deny from all
    </files>

  • #5
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Quote Originally Posted by mwgriffin View Post
    Ok so I found something that might help. I heard that you could store session information in a mysql database. If so, could the .htaccess file be directed to look in the mysql database for the session information? this would fix the issue, if it is possible, as the initial login would store the session information in the mysql database, the .htaccess file would then check the database for session information instead of what it normally does, then if there was no session active it would show the popup box, prompting the user to login. Possible???? Thanks!
    You can indeed store the session information in the database. However, you can't access a database with an .htaccess file because that is not it's purpose. All it is used for is overriding the global Apache settings on a per-directory basis. It doesn't interact directly with other server elements, such as the database. Your best bet for preventing direct linking is referer checking, and that is sketchy at best. The referer can be set/changed by anyone, and will sometimes be blocked altogether by anti-spyware software.
    Quote Originally Posted by sea4me View Post
    Place an .htaccess file in www.domain.com/downloads, and put this in it:

    <files *>
    Deny from all
    </files>
    That is going to block all access to the files; legitimate or not.

  • #6
    Regular Coder sea4me's Avatar
    Join Date
    Jan 2009
    Location
    Damn, I don't know...
    Posts
    390
    Thanks
    11
    Thanked 28 Times in 27 Posts
    ya, put them in a downloads folder and use the server to access it... that way the guy can't download it but the server can still get it...

  • #7
    New Coder
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Hey thanks for the info! sea4me, if i'm understanding you correctly, I can use php to serve those files out of that directory? If that will block all access to that folder period then it is of no use to me as I want authenticated members to be able to access that material in the folder... I find it odd how it is so difficult to set something like this up. How do commercial sites do it? I know that with many of them you must be authenticated to download material, and you cannot download the material even if you have the referer information. I really wish there was someway you could secure folders like you secure individual pages with php. Is there an option to put the files above the web root and then serve them from that location with php that only works when the user is logged in. That to me sounds feasible. Is that a possible way of doing it?
    MICHAEL GRIFFIN
    MWGRIFFIN.COM

  • #8
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Yeah that is how you do it with SESSIONS and HEADERS. You can use the download directory either above the doc root or deny all access with htaccess as shown above. Here is some example code:

    PHP Code:
    <?php
    session_start
    ();
    if(
    $_SESSION["logged"]!=1) die("error");
    function 
    get_file($filename)
    {
        
    header('Content-Description: File Transfer');
        
    header('Content-Type: application/octet-stream');
        
    header('Content-Disposition: attachment; filename='.$filename);
        
    header('Content-Transfer-Encoding: binary');
        
    header('Expires: 0');
        
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        
    header('Pragma: public');
        
    header('Content-Length: ' filesize($filename));
        
    ob_clean();
        
    flush();
        
    readfile($filename);
        exit;
    }

    if(isset(
    $_GET["file"]))
    {
        
    //some simple security.
        
    $filename=stripslashes($_GET["file"]);
        
        if (
    $handle opendir('/direcotry/with/files')) {
        while (
    false !== ($file readdir($handle))) {
            if (
    $file == $filename && $file!="." && $file!="..") {
                    
    get_file($filename);
            }
        }
    }
    }else die(
    "no file was sent");
    ?>
    That would work all you'd have to change is this line if ($handle = opendir('/direcotry/with/files')) so that the string in here is the path to your files. Then to get the relevant file you just call
    download.php?file=filename.mp3 where download would be the name of this script file.
    However you must ensure that filename.mp3 is urlencoded for this to work and that your sessions set $_SESSION["logged"]=1; when the user logs in. Also if you only want to allow access to a certain file then you would have to do some other things with sessions and the validation part of this script.
    Last edited by timgolding; 05-23-2009 at 09:20 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #9
    New Coder
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Ok so I'm sure that method will work great for downloads. And thankyou so much! My second question here is if I have a flash video player (I'm using the JW player) will the php script above be able to deliver the same files into the player if the url is urlencoded? If this would work then disregard what I'm going to say next. I had an Idea and I don't know if this will work, but hear me out. What if I were to deny all access to a folder using the method described above with the .htaccess file. Then with a php function I was to stop it from being read when the user was logged in. This would make it so that the user would not be able to access the file unless logged in. The only probem with this is that it would have to ignore the file specifically for that user, and not disable the reading as a whole as disabling the file period would allow users to access the file when someone else was logged in.
    MICHAEL GRIFFIN
    MWGRIFFIN.COM

  • #10
    Regular Coder sea4me's Avatar
    Join Date
    Jan 2009
    Location
    Damn, I don't know...
    Posts
    390
    Thanks
    11
    Thanked 28 Times in 27 Posts
    No.

    You would have to change the headers to match the files to be able to give it to Flash.

    Here is a array of mimes:

    PHP Code:
    $mime_types = array("323" => "text/h323",
    "acx" => "application/internet-property-stream",
    "ai" => "application/postscript",
    "aif" => "audio/x-aiff",
    "aifc" => "audio/x-aiff",
    "aiff" => "audio/x-aiff",
    "asf" => "video/x-ms-asf",
    "asr" => "video/x-ms-asf",
    "asx" => "video/x-ms-asf",
    "au" => "audio/basic",
    "avi" => "video/x-msvideo",
    "axs" => "application/olescript",
    "bas" => "text/plain",
    "bcpio" => "application/x-bcpio",
    "bin" => "application/octet-stream",
    "bmp" => "image/bmp",
    "c" => "text/plain",
    "cat" => "application/vnd.ms-pkiseccat",
    "cdf" => "application/x-cdf",
    "cer" => "application/x-x509-ca-cert",
    "class" => "application/octet-stream",
    "clp" => "application/x-msclip",
    "cmx" => "image/x-cmx",
    "cod" => "image/cis-cod",
    "cpio" => "application/x-cpio",
    "crd" => "application/x-mscardfile",
    "crl" => "application/pkix-crl",
    "crt" => "application/x-x509-ca-cert",
    "csh" => "application/x-csh",
    "css" => "text/css",
    "dcr" => "application/x-director",
    "der" => "application/x-x509-ca-cert",
    "dir" => "application/x-director",
    "dll" => "application/x-msdownload",
    "dms" => "application/octet-stream",
    "doc" => "application/msword",
    "dot" => "application/msword",
    "dvi" => "application/x-dvi",
    "dxr" => "application/x-director",
    "eps" => "application/postscript",
    "etx" => "text/x-setext",
    "evy" => "application/envoy",
    "exe" => "application/octet-stream",
    "fif" => "application/fractals",
    "flr" => "x-world/x-vrml",
    "gif" => "image/gif",
    "gtar" => "application/x-gtar",
    "gz" => "application/x-gzip",
    "h" => "text/plain",
    "hdf" => "application/x-hdf",
    "hlp" => "application/winhlp",
    "hqx" => "application/mac-binhex40",
    "hta" => "application/hta",
    "htc" => "text/x-component",
    "htm" => "text/html",
    "html" => "text/html",
    "htt" => "text/webviewhtml",
    "ico" => "image/x-icon",
    "ief" => "image/ief",
    "iii" => "application/x-iphone",
    "ins" => "application/x-internet-signup",
    "isp" => "application/x-internet-signup",
    "jfif" => "image/pipeg",
    "jpe" => "image/jpeg",
    "jpeg" => "image/jpeg",
    "jpg" => "image/jpeg",
    "js" => "application/x-javascript",
    "latex" => "application/x-latex",
    "lha" => "application/octet-stream",
    "lsf" => "video/x-la-asf",
    "lsx" => "video/x-la-asf",
    "lzh" => "application/octet-stream",
    "m13" => "application/x-msmediaview",
    "m14" => "application/x-msmediaview",
    "m3u" => "audio/x-mpegurl",
    "man" => "application/x-troff-man",
    "mdb" => "application/x-msaccess",
    "me" => "application/x-troff-me",
    "mht" => "message/rfc822",
    "mhtml" => "message/rfc822",
    "mid" => "audio/mid",
    "mny" => "application/x-msmoney",
    "mov" => "video/quicktime",
    "movie" => "video/x-sgi-movie",
    "mp2" => "video/mpeg",
    "mp3" => "audio/mpeg",
    "mpa" => "video/mpeg",
    "mpe" => "video/mpeg",
    "mpeg" => "video/mpeg",
    "mpg" => "video/mpeg",
    "mpp" => "application/vnd.ms-project",
    "mpv2" => "video/mpeg",
    "ms" => "application/x-troff-ms",
    "mvb" => "application/x-msmediaview",
    "nws" => "message/rfc822",
    "oda" => "application/oda",
    "p10" => "application/pkcs10",
    "p12" => "application/x-pkcs12",
    "p7b" => "application/x-pkcs7-certificates",
    "p7c" => "application/x-pkcs7-mime",
    "p7m" => "application/x-pkcs7-mime",
    "p7r" => "application/x-pkcs7-certreqresp",
    "p7s" => "application/x-pkcs7-signature",
    "pbm" => "image/x-portable-bitmap",
    "pdf" => "application/pdf",
    "pfx" => "application/x-pkcs12",
    "pgm" => "image/x-portable-graymap",
    "pko" => "application/ynd.ms-pkipko",
    "pma" => "application/x-perfmon",
    "pmc" => "application/x-perfmon",
    "pml" => "application/x-perfmon",
    "pmr" => "application/x-perfmon",
    "pmw" => "application/x-perfmon",
    "pnm" => "image/x-portable-anymap",
    "pot" => "application/vnd.ms-powerpoint",
    "ppm" => "image/x-portable-pixmap",
    "pps" => "application/vnd.ms-powerpoint",
    "ppt" => "application/vnd.ms-powerpoint",
    "prf" => "application/pics-rules",
    "ps" => "application/postscript",
    "pub" => "application/x-mspublisher",
    "qt" => "video/quicktime",
    "ra" => "audio/x-pn-realaudio",
    "ram" => "audio/x-pn-realaudio",
    "ras" => "image/x-cmu-raster",
    "rgb" => "image/x-rgb",
    "rmi" => "audio/mid",
    "roff" => "application/x-troff",
    "rtf" => "application/rtf",
    "rtx" => "text/richtext",
    "scd" => "application/x-msschedule",
    "sct" => "text/scriptlet",
    "setpay" => "application/set-payment-initiation",
    "setreg" => "application/set-registration-initiation",
    "sh" => "application/x-sh",
    "shar" => "application/x-shar",
    "sit" => "application/x-stuffit",
    "snd" => "audio/basic",
    "spc" => "application/x-pkcs7-certificates",
    "spl" => "application/futuresplash",
    "src" => "application/x-wais-source",
    "sst" => "application/vnd.ms-pkicertstore",
    "stl" => "application/vnd.ms-pkistl",
    "stm" => "text/html",
    "svg" => "image/svg+xml",
    "sv4cpio" => "application/x-sv4cpio",
    "sv4crc" => "application/x-sv4crc",
    "t" => "application/x-troff",
    "tar" => "application/x-tar",
    "tcl" => "application/x-tcl",
    "tex" => "application/x-tex",
    "texi" => "application/x-texinfo",
    "texinfo" => "application/x-texinfo",
    "tgz" => "application/x-compressed",
    "tif" => "image/tiff",
    "tiff" => "image/tiff",
    "tr" => "application/x-troff",
    "trm" => "application/x-msterminal",
    "tsv" => "text/tab-separated-values",
    "txt" => "text/plain",
    "uls" => "text/iuls",
    "ustar" => "application/x-ustar",
    "vcf" => "text/x-vcard",
    "vrml" => "x-world/x-vrml",
    "wav" => "audio/x-wav",
    "wcm" => "application/vnd.ms-works",
    "wdb" => "application/vnd.ms-works",
    "wks" => "application/vnd.ms-works",
    "wmf" => "application/x-msmetafile",
    "wps" => "application/vnd.ms-works",
    "wri" => "application/x-mswrite",
    "wrl" => "x-world/x-vrml",
    "wrz" => "x-world/x-vrml",
    "xaf" => "x-world/x-vrml",
    "xbm" => "image/x-xbitmap",
    "xla" => "application/vnd.ms-excel",
    "xlc" => "application/vnd.ms-excel",
    "xlm" => "application/vnd.ms-excel",
    "xls" => "application/vnd.ms-excel",
    "xlt" => "application/vnd.ms-excel",
    "xlw" => "application/vnd.ms-excel",
    "xof" => "x-world/x-vrml",
    "xpm" => "image/x-xpixmap",
    "xwd" => "image/x-xwindowdump",
    "z" => "application/x-compress",
    "zip" => "application/zip"); 

  • #11
    New Coder
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    4
    Thanked 4 Times in 4 Posts
    So would this work if the file was a .mp4 video file? (i changed the content type to the appropriate mime type...)

    PHP Code:
    <?php
    session_start
    ();
    if(
    $_SESSION["logged"]!=1) die("error");
    function 
    get_file($filename)
    {
        
    header('Content-Description: File Transfer');
    // Modified content    
        
    header('Content-Type: video/mpeg');
    //    
        
    header('Content-Disposition: attachment; filename='.$filename);
        
    header('Content-Transfer-Encoding: binary');
        
    header('Expires: 0');
        
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        
    header('Pragma: public');
        
    header('Content-Length: ' filesize($filename));
        
    ob_clean();
        
    flush();
        
    readfile($filename);
        exit;
    }

    if(isset(
    $_GET["file"]))
    {
        
    //some simple security.
        
    $filename=stripslashes($_GET["file"]);
        
        if (
    $handle opendir('/direcotry/with/files')) {
        while (
    false !== ($file readdir($handle))) {
            if (
    $file == $filename && $file!="." && $file!="..") {
                    
    get_file($filename);
            }
        }
    }
    }else die(
    "no file was sent");
    ?>
    MICHAEL GRIFFIN
    MWGRIFFIN.COM


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •