View Full Version : Resolved Programmatically setting PHP_AUTH_* variables

09-10-2009, 03:37 PM
The background here is that I'm deploying a predominately XHTML site (.html files created from a CMS) and want to protect resources in a sub-directory. The server is running Redhat and Apache, and has PHP 5.

Before I go any further I want to clarify some terms, in case somebody else is familiar with other definitions: Authentication is simply "is this a user in our system, and is this their password?", while Authorization is "does this user have access to this resource?".

For this project I want to handle the Authentication portion in PHP (with user accounts stored in a DB), and let Apache do the Authorization through Basic "HTTP Authentication" (.htaccess). This is so that I can protect all resources in a sub-directory, not just scripted pages (preventing hotlinking to images, pdfs, .html files, etc within a protected directory).

Currently I have a directory successfully protected via .htaccess . Attempting to view anything in that directory brings up the standard login pop-up box. After entering my credentials, I can verify that the PHP_AUTH variables have been set:

print("<p><b>User:</b> " . $_SERVER["PHP_AUTH_USER"] . "</p>");
print("<p><b>Pass:</b> " . $_SERVER["PHP_AUTH_PW"] . "</p>");

Now the problem is this: I want to replace the standard HTTP Authentication login box with a .php page which will accept the user's name and password, do the authentication, and assign these PHP_AUTH variables to values which will allow Apache to serve them any files that user is authorized for (in the local .htaccess).

So, for example:

Two users in .htpasswd : "basic", and "full"
foo.com/members/.htaccess requires a valid user
foo.com/admin/.htaccess only allows access from user "full"
foo.com/login.php authenticates a user and password, and programmatically sets $_SERVER["PHP_AUTH_USER"] to either "basic" or "full", and sets PHP_AUTH_PW to the correct password.
After a user visits foo.com/login.php they can view the appropriate protected content without having to login via HTTP Authentication's ugly popup box.

But the PHP_AUTH variables appear to be read-only, as:

$_SERVER["PHP_AUTH_USER"] = "test";
Executes fine, but doesn't have an impact on:

in another page.

Is there any way to programmatically log in a user, so that Apache will recognize their credentials?

Thanks in advance for any help.

09-10-2009, 03:48 PM
why don't you just block hotlinking with htaccess and mod-rewrite, something like this;

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

more info on that: http://www.google.ca/search?hl=en&source=hp&q=.htaccess+hotlink+protection&btnG=Google+Search&meta=&aq=3&oq=.htaccess+ho

then just allow normal php login using session?

09-10-2009, 03:55 PM
Thanks for the suggestion angst. Have to admit I haven't used mod-rewrite at all. Will look into it and test.

09-10-2009, 08:39 PM
mod-rewrite did the trick!

For reference for anyone else who might find this, I'd suggest reading through: http://altlab.com/htaccess_tutorial.html and then http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

I changed my .htaccess file in members/ from something like:

AuthUserFile /var/.htpasswd
AuthGroupFile /dev/null
AuthName LoginRequired
AuthType Basic
<Limit GET>
require user test


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?MYDOMAIN.com [NC]
RewriteRule !\.php$ - [NC,F,L]

Then I have members/index.php which contains a traditional PHP login script. When logged in, index.php contains links to documents within members/ which are only accessible when following a link from within my domain.

09-10-2009, 08:40 PM
good work! gotta love htaccess w/mod-rewrite ;)