Page 1 of 1

PHP and htaccess how?

Posted: Thu Apr 22, 2010 11:10 pm
by iansane
Hi,

I have a login script for a php data access web app for which I got some help here on login and email.

Now I need to block access from the url to any other files in the web apps directory.

I know how to use includes and have a vague idea of htaccess and htpasswd but I'm wondering if there is a way to pass a password from php to the htpasswd file instead of keeping a password file for htpasswd to use.

The reason I ask is because there is already a username and password database the login script uses to authenticate so I don't want the administrator having to add users to both the database and another password file.

Basically authenticate one time and have access to all the other html and php files in the directory. Fail to authenticate and access nothing but the login page.

Am I making any sense? lol I'm a little confused.

Thanks for any advise

Re: PHP and htaccess how?

Posted: Fri Apr 23, 2010 1:22 am
by Bind
While you certainly may be able to sync visitor login credentials between your php applications database user tables and .htpasswd, why would you want to, considering you can not automate logins through HTTP Authentication (HTTP_AUTH) to prevent the double login.

just stream the files to the authenticated users from the protected directories using php fopen(), header(), and fpassthru(). This can be done from anywhere in your directory structure.

it will still keep your directories and files protected from unwanted access while removing the need for a double log in, with your php applications authentication controlling the process.

1. ensure user is logged in to your php application.
2. authenticate user level (if applicable in a multi-user-level system) - (ie- system admin, site admin, editor, journalist, moderator, registered paying customer, registered non-paying subscriber, visitor, ect).
3. parse the uri for the requested document identifier or uri link (your-website.com/download.php?id=####).
4. open the file with php using fopen().
5. set appropriate header()'s
6. spit out the file to the visitor using fpassthru().

Re: PHP and htaccess how?

Posted: Fri Apr 23, 2010 2:05 am
by iansane
Thanks Bind

As with most of the questions I've been asking here lately I see there is a lot I need to understand.

I'll do some research on all that you listed above.

What I'm trying to avoid is any reason for the admin (won't be me) to have to set up user names in more than one place. That's why I wanted to restrict access based on the 1st login.

Maybe my question should have been, how do I make it so the user logs in once and no one else can access pages through the url?

Right now the log in page authenticates and redirects to the home page but I can still just change the url and it takes me to the home page which defeats the purpose of a log in page. I want to stop that from happening.

Re: PHP and htaccess how?

Posted: Fri Apr 23, 2010 3:08 pm
by iansane
this is more confusing than I thought.

I got htaccess working after a few hours and now get the forbidden page from the url.

I'm trying to figure out fopen() and fpassthru() though.

I have this now

Code: Select all

<?php
$name = './html/home.html';
$fp = fopen($name , 'r');

header("Content-Type: text/html");
header("Content-Length: " . filesize($name));

fpassthru($fp);
exit;
?>
It passes the html through but with none of the images. Do I need to add another header for the images and how would I do that?

Thanks

Re: PHP and htaccess how?

Posted: Fri Apr 23, 2010 4:31 pm
by iansane
also if I use anything besides "deny from all" in my htaccess file I get a server configuration error telling me to contact my administrator when I'm on my own system. So I don't know what is going on there.

If I add the "allow line" like this

Code: Select all

#deny outside users
order deny, allow
deny from all
allow from <???>
I get the error but with just the "deny from all" line it works and I get the "Forbidden" error page.
for "allow all" I've tried the domain, IP, and localhost but can't tell if any of them work because of the server error.

I know this isn't specific to php but hoping someone can tell me how to do this since it's for php pages

Re: PHP and htaccess how?

Posted: Mon Apr 26, 2010 12:54 am
by Bind
why are you streaming the html ?

The html should be protected with your applications (php) login authentication and be placed outside of the protected directories.

if they are html files, rename them to PHP and include login authentication for deciding accessibility.

If you do not want to or can't change html to php, set your severs php.ini to parse html files for php code, or add additional .htaccess code for the server to parse html files.

example:

Code: Select all

RemoveHandler .html .htm
AddType application/x-httpd-php .php .htm .html
By streaming, protected files will simply download to the user upon authentication from the protected directories, and is not intended to be a display mechenism on a web page the visitor navigates to.

That said, your .htaccess code is fine and should be all-inclusive in denials unless you require scripted browser access to the protected directories, in which case HTTP_AUTH (.htaccess/.htpasswd) should suffice.

I will whip up an basic example application to show you what I mean when I have some time.

Re: PHP and htaccess how?

Posted: Sun May 09, 2010 9:41 am
by iansane
Thanks Bind,

At the time of this post I didn't know how to use php sessions and was trying to accomplish my task with htaccess.

I didn't want to have the browser ask for authentication when I already have a php login page. It would require the user to log in twice. That's why I was trying to restrict outside access and then stream the html only if the user was authenticated. Basically I was confused and did not know how to do what I was trying to do.

Now after reading up on php sessions I was able to get things working. The user can still manipulate the url to get to a page but every protected page starts with the session script that redirects them to the login page if they aren't already in a registered session.

Re: PHP and htaccess how?

Posted: Sun May 09, 2010 12:34 pm
by califdon
That's the standard way to do that. As long as you include the session authentication check in every script (you can use an include file to do that), you're pretty well protected.