PHP Authentication And .htaccess

[mwgriffin]

Ok so I've done a lot of searching on the web and i've decided to post here as I cannot find a solution to my problem.

Getting php login authentication information passed on to, and verified by, .htaccess protected directories...

What I want:

• Users login through a login page
• The login page is displayed through Lightview (this is not necessary at the moment)
• To protect directories of video files with .htaccess files
• To have the .htaccess file use a mysql database for username and password storage
• To protect pages with authentication via php
• To not have the popup window displayed for the .htaccess when accessing files in the protected directories

Here's what I have so far:

• I've successfully set up the login-logout system with php
• Protected individual pages with php authentication using sessions

Here's my problem:

I cannot get the two systems to work together. What I want ideally is to have the user login within the login page, and be able to access the content in the .htaccess protected directories without the .htaccess window poping up. In essence I want the user authentication to be gathered in the login page to be passed on to the .htaccess prompt so that it doesn't open and automatically authenticates and allows an authenticated user to access the material.

Is this even possible? Because both the php and .htaccess authentication systems are now set up to verify username and password combinations against a mysql database, then shouldn't it be possible to have the data from the login screen passed on to the .htaccess authentication? The reason I'm using this method is because I want my video files protected, and the only way I've been able to do that (preventing direct linking to files) is through the use of .htaccess, which I've set up to use the mysql database instead of the annoying, cumbersome, and less secure .htpasswd file. Thank you very much! Any help would be greatly appriciated!

[mwgriffin]

Ok so I found something that might help. I heard that you could store session information in a mysql database. If so, could the .htaccess file be directed to look in the mysql database for the session information? this would fix the issue, if it is possible, as the initial login would store the session information in the mysql database, the .htaccess file would then check the database for session information instead of what it normally does, then if there was no session active it would show the popup box, prompting the user to login. Possible???? Thanks!

[mwgriffin]

Ok so I'm going to rephase what I want, simply as this:

How do I protect files (picutes videos zipped archives) from unauthenticated users viewing or downloading them? I need a security system that stops someone that has a direct link to a file from downloading it or viewing it unless they're authenticated. .htaccess files would work great but I'm having some issues setting them up with a database for password and username reference. That and the fact that I need to have the php sessions be used for the .htaccess files, so that a logged in user isn't prompted by a popup window asking for login information again when accessing a file in a protected directory. Any suggestions?

[sea4me]

Place an .htaccess file in www.domain.com/downloads, and put this in it:

<files *>
Deny from all
</files>

[Inigoesdr]

Quote:

Originally Posted by mwgriffin

Ok so I found something that might help. I heard that you could store session information in a mysql database. If so, could the .htaccess file be directed to look in the mysql database for the session information? this would fix the issue, if it is possible, as the initial login would store the session information in the mysql database, the .htaccess file would then check the database for session information instead of what it normally does, then if there was no session active it would show the popup box, prompting the user to login. Possible???? Thanks!

You can indeed store the session information in the database. However, you can't access a database with an .htaccess file because that is not it's purpose. All it is used for is overriding the global Apache settings on a per-directory basis. It doesn't interact directly with other server elements, such as the database. Your best bet for preventing direct linking is referer checking, and that is sketchy at best. The referer can be set/changed by anyone, and will sometimes be blocked altogether by anti-spyware software.

Quote:

Originally Posted by sea4me

Place an .htaccess file in www.domain.com/downloads, and put this in it:

<files *>
Deny from all
</files>

That is going to block all access to the files; legitimate or not.

[sea4me]

ya, put them in a downloads folder and use the server to access it... that way the guy can't download it but the server can still get it...

[mwgriffin]

Hey thanks for the info! sea4me, if i'm understanding you correctly, I can use php to serve those files out of that directory? If that will block all access to that folder period then it is of no use to me as I want authenticated members to be able to access that material in the folder... I find it odd how it is so difficult to set something like this up. How do commercial sites do it? I know that with many of them you must be authenticated to download material, and you cannot download the material even if you have the referer information. I really wish there was someway you could secure folders like you secure individual pages with php. Is there an option to put the files above the web root and then serve them from that location with php that only works when the user is logged in. That to me sounds feasible. Is that a possible way of doing it?

[timgolding]

Yeah that is how you do it with SESSIONS and HEADERS. You can use the download directory either above the doc root or deny all access with htaccess as shown above. Here is some example code:

PHP Code:

<?php
session_start();
if($_SESSION["logged"]!=1) die("error");
function get_file($filename)
{
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.$filename);
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filename));
    ob_clean();
    flush();
    readfile($filename);
    exit;
}

if(isset($_GET["file"]))
{
    //some simple security.
    $filename=stripslashes($_GET["file"]);
    
    if ($handle = opendir('/direcotry/with/files')) {
    while (false !== ($file = readdir($handle))) {
        if ($file == $filename && $file!="." && $file!="..") {
                get_file($filename);
        }
    }
}
}else die("no file was sent");
?>

That would work all you'd have to change is this line if ($handle = opendir('/direcotry/with/files')) so that the string in here is the path to your files. Then to get the relevant file you just call
download.php?file=filename.mp3 where download would be the name of this script file.
However you must ensure that filename.mp3 is urlencoded for this to work and that your sessions set $_SESSION["logged"]=1; when the user logs in. Also if you only want to allow access to a certain file then you would have to do some other things with sessions and the validation part of this script.

[mwgriffin]

Ok so I'm sure that method will work great for downloads. And thankyou so much! My second question here is if I have a flash video player (I'm using the JW player) will the php script above be able to deliver the same files into the player if the url is urlencoded? If this would work then disregard what I'm going to say next. I had an Idea and I don't know if this will work, but hear me out. What if I were to deny all access to a folder using the method described above with the .htaccess file. Then with a php function I was to stop it from being read when the user was logged in. This would make it so that the user would not be able to access the file unless logged in. The only probem with this is that it would have to ignore the file specifically for that user, and not disable the reading as a whole as disabling the file period would allow users to access the file when someone else was logged in.

[sea4me]

No.

You would have to change the headers to match the files to be able to give it to Flash.

Here is a array of mimes:

PHP Code:

$mime_types = array("323" => "text/h323",
"acx" => "application/internet-property-stream",
"ai" => "application/postscript",
"aif" => "audio/x-aiff",
"aifc" => "audio/x-aiff",
"aiff" => "audio/x-aiff",
"asf" => "video/x-ms-asf",
"asr" => "video/x-ms-asf",
"asx" => "video/x-ms-asf",
"au" => "audio/basic",
"avi" => "video/x-msvideo",
"axs" => "application/olescript",
"bas" => "text/plain",
"bcpio" => "application/x-bcpio",
"bin" => "application/octet-stream",
"bmp" => "image/bmp",
"c" => "text/plain",
"cat" => "application/vnd.ms-pkiseccat",
"cdf" => "application/x-cdf",
"cer" => "application/x-x509-ca-cert",
"class" => "application/octet-stream",
"clp" => "application/x-msclip",
"cmx" => "image/x-cmx",
"cod" => "image/cis-cod",
"cpio" => "application/x-cpio",
"crd" => "application/x-mscardfile",
"crl" => "application/pkix-crl",
"crt" => "application/x-x509-ca-cert",
"csh" => "application/x-csh",
"css" => "text/css",
"dcr" => "application/x-director",
"der" => "application/x-x509-ca-cert",
"dir" => "application/x-director",
"dll" => "application/x-msdownload",
"dms" => "application/octet-stream",
"doc" => "application/msword",
"dot" => "application/msword",
"dvi" => "application/x-dvi",
"dxr" => "application/x-director",
"eps" => "application/postscript",
"etx" => "text/x-setext",
"evy" => "application/envoy",
"exe" => "application/octet-stream",
"fif" => "application/fractals",
"flr" => "x-world/x-vrml",
"gif" => "image/gif",
"gtar" => "application/x-gtar",
"gz" => "application/x-gzip",
"h" => "text/plain",
"hdf" => "application/x-hdf",
"hlp" => "application/winhlp",
"hqx" => "application/mac-binhex40",
"hta" => "application/hta",
"htc" => "text/x-component",
"htm" => "text/html",
"html" => "text/html",
"htt" => "text/webviewhtml",
"ico" => "image/x-icon",
"ief" => "image/ief",
"iii" => "application/x-iphone",
"ins" => "application/x-internet-signup",
"isp" => "application/x-internet-signup",
"jfif" => "image/pipeg",
"jpe" => "image/jpeg",
"jpeg" => "image/jpeg",
"jpg" => "image/jpeg",
"js" => "application/x-javascript",
"latex" => "application/x-latex",
"lha" => "application/octet-stream",
"lsf" => "video/x-la-asf",
"lsx" => "video/x-la-asf",
"lzh" => "application/octet-stream",
"m13" => "application/x-msmediaview",
"m14" => "application/x-msmediaview",
"m3u" => "audio/x-mpegurl",
"man" => "application/x-troff-man",
"mdb" => "application/x-msaccess",
"me" => "application/x-troff-me",
"mht" => "message/rfc822",
"mhtml" => "message/rfc822",
"mid" => "audio/mid",
"mny" => "application/x-msmoney",
"mov" => "video/quicktime",
"movie" => "video/x-sgi-movie",
"mp2" => "video/mpeg",
"mp3" => "audio/mpeg",
"mpa" => "video/mpeg",
"mpe" => "video/mpeg",
"mpeg" => "video/mpeg",
"mpg" => "video/mpeg",
"mpp" => "application/vnd.ms-project",
"mpv2" => "video/mpeg",
"ms" => "application/x-troff-ms",
"mvb" => "application/x-msmediaview",
"nws" => "message/rfc822",
"oda" => "application/oda",
"p10" => "application/pkcs10",
"p12" => "application/x-pkcs12",
"p7b" => "application/x-pkcs7-certificates",
"p7c" => "application/x-pkcs7-mime",
"p7m" => "application/x-pkcs7-mime",
"p7r" => "application/x-pkcs7-certreqresp",
"p7s" => "application/x-pkcs7-signature",
"pbm" => "image/x-portable-bitmap",
"pdf" => "application/pdf",
"pfx" => "application/x-pkcs12",
"pgm" => "image/x-portable-graymap",
"pko" => "application/ynd.ms-pkipko",
"pma" => "application/x-perfmon",
"pmc" => "application/x-perfmon",
"pml" => "application/x-perfmon",
"pmr" => "application/x-perfmon",
"pmw" => "application/x-perfmon",
"pnm" => "image/x-portable-anymap",
"pot" => "application/vnd.ms-powerpoint",
"ppm" => "image/x-portable-pixmap",
"pps" => "application/vnd.ms-powerpoint",
"ppt" => "application/vnd.ms-powerpoint",
"prf" => "application/pics-rules",
"ps" => "application/postscript",
"pub" => "application/x-mspublisher",
"qt" => "video/quicktime",
"ra" => "audio/x-pn-realaudio",
"ram" => "audio/x-pn-realaudio",
"ras" => "image/x-cmu-raster",
"rgb" => "image/x-rgb",
"rmi" => "audio/mid",
"roff" => "application/x-troff",
"rtf" => "application/rtf",
"rtx" => "text/richtext",
"scd" => "application/x-msschedule",
"sct" => "text/scriptlet",
"setpay" => "application/set-payment-initiation",
"setreg" => "application/set-registration-initiation",
"sh" => "application/x-sh",
"shar" => "application/x-shar",
"sit" => "application/x-stuffit",
"snd" => "audio/basic",
"spc" => "application/x-pkcs7-certificates",
"spl" => "application/futuresplash",
"src" => "application/x-wais-source",
"sst" => "application/vnd.ms-pkicertstore",
"stl" => "application/vnd.ms-pkistl",
"stm" => "text/html",
"svg" => "image/svg+xml",
"sv4cpio" => "application/x-sv4cpio",
"sv4crc" => "application/x-sv4crc",
"t" => "application/x-troff",
"tar" => "application/x-tar",
"tcl" => "application/x-tcl",
"tex" => "application/x-tex",
"texi" => "application/x-texinfo",
"texinfo" => "application/x-texinfo",
"tgz" => "application/x-compressed",
"tif" => "image/tiff",
"tiff" => "image/tiff",
"tr" => "application/x-troff",
"trm" => "application/x-msterminal",
"tsv" => "text/tab-separated-values",
"txt" => "text/plain",
"uls" => "text/iuls",
"ustar" => "application/x-ustar",
"vcf" => "text/x-vcard",
"vrml" => "x-world/x-vrml",
"wav" => "audio/x-wav",
"wcm" => "application/vnd.ms-works",
"wdb" => "application/vnd.ms-works",
"wks" => "application/vnd.ms-works",
"wmf" => "application/x-msmetafile",
"wps" => "application/vnd.ms-works",
"wri" => "application/x-mswrite",
"wrl" => "x-world/x-vrml",
"wrz" => "x-world/x-vrml",
"xaf" => "x-world/x-vrml",
"xbm" => "image/x-xbitmap",
"xla" => "application/vnd.ms-excel",
"xlc" => "application/vnd.ms-excel",
"xlm" => "application/vnd.ms-excel",
"xls" => "application/vnd.ms-excel",
"xlt" => "application/vnd.ms-excel",
"xlw" => "application/vnd.ms-excel",
"xof" => "x-world/x-vrml",
"xpm" => "image/x-xpixmap",
"xwd" => "image/x-xwindowdump",
"z" => "application/x-compress",
"zip" => "application/zip"); 


[mwgriffin]

So would this work if the file was a .mp4 video file? (i changed the content type to the appropriate mime type...)

PHP Code:

<?php
session_start();
if($_SESSION["logged"]!=1) die("error");
function get_file($filename)
{
    header('Content-Description: File Transfer');
// Modified content    
    header('Content-Type: video/mpeg');
//    
    header('Content-Disposition: attachment; filename='.$filename);
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filename));
    ob_clean();
    flush();
    readfile($filename);
    exit;
}

if(isset($_GET["file"]))
{
    //some simple security.
    $filename=stripslashes($_GET["file"]);
    
    if ($handle = opendir('/direcotry/with/files')) {
    while (false !== ($file = readdir($handle))) {
        if ($file == $filename && $file!="." && $file!="..") {
                get_file($filename);
        }
    }
}
}else die("no file was sent");
?>