Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Aug 2009
    Posts
    17
    Thanks
    4
    Thanked 1 Time in 1 Post

    Programmatically setting PHP_AUTH_* variables

    The background here is that I'm deploying a predominately XHTML site (.html files created from a CMS) and want to protect resources in a sub-directory. The server is running Redhat and Apache, and has PHP 5.

    Before I go any further I want to clarify some terms, in case somebody else is familiar with other definitions: Authentication is simply "is this a user in our system, and is this their password?", while Authorization is "does this user have access to this resource?".

    For this project I want to handle the Authentication portion in PHP (with user accounts stored in a DB), and let Apache do the Authorization through Basic "HTTP Authentication" (.htaccess). This is so that I can protect all resources in a sub-directory, not just scripted pages (preventing hotlinking to images, pdfs, .html files, etc within a protected directory).

    Currently I have a directory successfully protected via .htaccess . Attempting to view anything in that directory brings up the standard login pop-up box. After entering my credentials, I can verify that the PHP_AUTH variables have been set:

    PHP Code:
      print("<p><b>User:</b> " $_SERVER["PHP_AUTH_USER"] . "</p>");
      print(
    "<p><b>Pass:</b> " $_SERVER["PHP_AUTH_PW"] . "</p>"); 
    Now the problem is this: I want to replace the standard HTTP Authentication login box with a .php page which will accept the user's name and password, do the authentication, and assign these PHP_AUTH variables to values which will allow Apache to serve them any files that user is authorized for (in the local .htaccess).

    So, for example:

    • Two users in .htpasswd : "basic", and "full"
    • foo.com/members/.htaccess requires a valid user
    • foo.com/admin/.htaccess only allows access from user "full"
    • foo.com/login.php authenticates a user and password, and programmatically sets $_SERVER["PHP_AUTH_USER"] to either "basic" or "full", and sets PHP_AUTH_PW to the correct password.
    • After a user visits foo.com/login.php they can view the appropriate protected content without having to login via HTTP Authentication's ugly popup box.


    But the PHP_AUTH variables appear to be read-only, as:
    PHP Code:
    $_SERVER["PHP_AUTH_USER"] = "test"
    Executes fine, but doesn't have an impact on:
    PHP Code:
    print($_SERVER["PHP_AUTH_USER"]); 
    in another page.


    Is there any way to programmatically log in a user, so that Apache will recognize their credentials?

    Thanks in advance for any help.
    Last edited by DDaku; 09-10-2009 at 07:41 PM.

  • #2
    Senior Coder angst's Avatar
    Join Date
    Apr 2004
    Location
    Toronto, Ontario
    Posts
    2,114
    Thanks
    15
    Thanked 122 Times in 122 Posts
    why don't you just block hotlinking with htaccess and mod-rewrite, something like this;

    Code:
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
    more info on that: http://www.google.ca/search?hl=en&so...q=.htaccess+ho

    then just allow normal php login using session?

  • Users who have thanked angst for this post:

    DDaku (09-10-2009)

  • #3
    New Coder
    Join Date
    Aug 2009
    Posts
    17
    Thanks
    4
    Thanked 1 Time in 1 Post
    Thanks for the suggestion angst. Have to admit I haven't used mod-rewrite at all. Will look into it and test.

  • #4
    New Coder
    Join Date
    Aug 2009
    Posts
    17
    Thanks
    4
    Thanked 1 Time in 1 Post
    mod-rewrite did the trick!

    For reference for anyone else who might find this, I'd suggest reading through: http://altlab.com/htaccess_tutorial.html and then http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

    I changed my .htaccess file in members/ from something like:
    Code:
    AuthUserFile /var/.htpasswd
    AuthGroupFile /dev/null
    AuthName LoginRequired
    AuthType Basic
    <Limit GET>
    require user test
    </Limit>
    To:

    Code:
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?MYDOMAIN.com [NC]
    RewriteRule !\.php$ - [NC,F,L]
    Then I have members/index.php which contains a traditional PHP login script. When logged in, index.php contains links to documents within members/ which are only accessible when following a link from within my domain.

  • #5
    Senior Coder angst's Avatar
    Join Date
    Apr 2004
    Location
    Toronto, Ontario
    Posts
    2,114
    Thanks
    15
    Thanked 122 Times in 122 Posts
    good work! gotta love htaccess w/mod-rewrite


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •