Page 1 of 1

html, user logins and secure directories

Posted: Wed Jul 13, 2005 2:29 pm
by titaniumdoughnut
Hello everyone! I'm new here, and half-way new to PHP. :)

Anyway, here's an issue which has been puzzling me for a while. I have a client who wants a front page with a login box. Users will enter a name and password and then the server should direct them to their own custom directory which has been set up in advance. Easy enough so far BUT the files in the directory are HTML (if you could call it that, the guy makes them in Word!) and obviously can't check for authentication before displaying. Security is not an enormous concern as these are boring and non-confidential corporate documents, but there should at least be an attempt at it.

The way I see it, I have two options:

First option. I could place the various directories on the server and lock them through C-Panel and then try to write a script that verifies the name and password, selects the appropriate directory and logs into it (thus bypassing the browser's built in login box) but I don't know if it is possible.

Secondly, I could write a script that matches the name and pw to an internal list, uses a session or a cookie to verify "logged-in-ness" and sends the user to a "fileview.php?user=bob&page=index" sort of page.

This page would call up the contents of the HTML files from deep within the bowels of the server, copy them to a text variable, loop through and change the links to "fileview.php?user=bob&page=pagename" and then print it to the browser. This way the user never knows the real URL of the files, and the php script won't show anything without the authentication cookie (or session). Images might pose a problem, but I'll tackle them when the time comes.

Any thoughts on this? Am I (in my relative newbiness) overlooking some obvious methods? Thanks :)

Posted: Wed Jul 13, 2005 2:40 pm
by Burrito
two options you have:
.htaccess or php authentication.

after reading your post, gather you want to use the second I do.

create the directories with the usernames you could, check against the session var they obtain after logging in for a match you should. If it matches, display the contents it will, if it does not, display a "No access here chump" message you can.

work with images this scenario will.

Posted: Wed Jul 13, 2005 3:05 pm
by titaniumdoughnut
heheh, I gather it's Wednesday :D

Thanks! Now, how exactly would the session ID work? Would I still need to do what I mentioned with a php page to call up the contents of the html files? or can session IDs somehow be used to block/allow access to directories/files?

In my technique someone could theoretically find (and distribute) the URL of the directory by viewing the source and finding the img tags. I guess I'd just put the HTML files in a nested folder and turn off virtual directory listing.

Posted: Wed Jul 13, 2005 3:11 pm
by Burrito
for "secure" sites, use url vars you should not:

set session vars you should, call them with the $_SESSION[] array you can:

ex:

Code: Select all

session_start();
// this assumes log in credentials passed from the database
$_SESSION['username'] = $row['username'];
// you can now use the $_SESSION[] associative array and call 'username' wherever you want.
echo $_SESSION['username'];
in the above example, set a session var for the username I have, check that value against the url (folder) you can. Determine if they should be there it will.

Posted: Wed Jul 13, 2005 3:14 pm
by titaniumdoughnut
Clever! Thanks :)

I'm going to read up on sessions and try to have this working soon. When you said images would work, is what I posted above what you had in mind, or is there a more elegant solution?

Posted: Wed Jul 13, 2005 3:44 pm
by theda
I think I should do that too, but I don't have a server (I'm too cheap to purchase webhosting) that allows SESSIONS. <_< But I guess I should read up on it. Burrito is 1337.

Posted: Wed Jul 13, 2005 3:45 pm
by Burrito
considered the images idea more carefully I have, work using the above it will not if visting an image like this you are:

http://www.mysite.com/bob/bobsimage.jpg

//where "bob" is the username.

create a php page that displayed the image using header() you could. Then work using the above it will.

Posted: Wed Jul 13, 2005 5:05 pm
by titaniumdoughnut
Brilliant that is. Thank you, I do.

(darnit! catching it is!)