The background here is that I'm deploying a predominately XHTML site (.html files created from a CMS) and want to protect resources in a sub-directory. The server is running Redhat and Apache, and has PHP 5.
Before I go any further I want to clarify some terms, in case somebody else is familiar with other definitions: Authentication is simply "is this a user in our system, and is this their password?", while Authorization is "does this user have access to this resource?".
For this project I want to handle the Authentication portion in PHP (with user accounts stored in a DB), and let Apache do the Authorization through Basic "HTTP Authentication" (.htaccess). This is so that I can protect all resources in a sub-directory, not just scripted pages (preventing hotlinking to images, pdfs, .html files, etc within a protected directory).
Currently I have a directory successfully protected via .htaccess . Attempting to view anything in that directory brings up the standard login pop-up box. After entering my credentials, I can verify that the PHP_AUTH variables have been set:
print("<p><b>User:</b> " . $_SERVER["PHP_AUTH_USER"] . "</p>");
print("<p><b>Pass:</b> " . $_SERVER["PHP_AUTH_PW"] . "</p>");
Now the problem is this: I want to replace the standard HTTP Authentication login box with a .php page which will accept the user's name and password, do the authentication, and assign these PHP_AUTH variables to values which will allow Apache to serve them any files that user is authorized for (in the local .htaccess).
So, for example:
- Two users in .htpasswd : "basic", and "full"
- foo.com/members/.htaccess requires a valid user
- foo.com/admin/.htaccess only allows access from user "full"
- foo.com/login.php authenticates a user and password, and programmatically sets $_SERVER["PHP_AUTH_USER"] to either "basic" or "full", and sets PHP_AUTH_PW to the correct password.
- After a user visits foo.com/login.php they can view the appropriate protected content without having to login via HTTP Authentication's ugly popup box.
But the PHP_AUTH variables appear to be read-only, as:
$_SERVER["PHP_AUTH_USER"] = "test";
Executes fine, but doesn't have an impact on:
in another page.
Is there any way to programmatically log in a user, so that Apache will recognize their credentials?
Thanks in advance for any help.