bypassing HTTP authentication with PHP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
decoy1
Forum Commoner
Posts: 50
Joined: Fri Feb 21, 2003 1:33 pm
Location: St. Louis

bypassing HTTP authentication with PHP

Post by decoy1 »

I have a particular directory that I want to password protect to prevent accessing it by typing the path in a browser.

However, I would like to be able to let visitors of my site view the contents of the directory, but only via links on my site. Is it possible to bypass the HTTP authentication with something like this...

Code: Select all

if($HTTP_REFERER) 
{ 
  //set $PHP_AUTH_USER and $PHP_AUTH_PW with the correct username and password 
} 
else 
{ 
  // throw up username/password box 
  header('WWW-Authenticate: Basic realm="Restricted"'); 
  header('HTTP/1.0 401 Unauthorized'); 
  echo 'Authorization Required'; 
  exit(); 
}
I figured that I could include something like this on the page with links to files in the protected directory to ensure that they are coming from my domain. If they are, I can set the $PHP_AUTH_USER and $PHP_AUTH_PW globals with the proper credentials and let'em in, otherwise .htaccess would protect it from outsiders.

I think I could solve this by using access control (order, allow, deny) on the server, but I don't have access.

Anyone done something like this or have any input?

Thanks :)
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

A quick and somewhat uninformed answer is that referrer can't be trusted. It can be altered, I think.

Hopefully someone who knows more than me can tell you more.
decoy1
Forum Commoner
Posts: 50
Joined: Fri Feb 21, 2003 1:33 pm
Location: St. Louis

Post by decoy1 »

Yeah, I really only needed something secure enough to dissuade maybe the not so experienced, curious types from snooping around. The files in the directory I want protected are fully accessable anyway, I just wanted to force them through the front door to be able to track users, target ads, etc.

Having said all that, I've come up with several other checks that do make it more secure if need be.

I kinda wanted to know if this was something others had done because I hadn't seen it before.

Thanks
User avatar
lazy_yogi
Forum Contributor
Posts: 243
Joined: Fri Jan 24, 2003 3:27 am

Post by lazy_yogi »

You could do it with sessions

From your page, set a session
then from other pages :
if session was set, display it .. else display some otherpage


put this into your main page with the links
... must be at the top with not spaces before the <?

Code: Select all

<?
       session_start(); 
       $_SESSION&#1111;'logged_in'] = 1; 
?>
put this in your other pages :

Code: Select all

<?
      session_start(); 
      if(! $_SESSION&#1111;'logged_in']) &#123; 
               display default page
              exit;
      &#125;

       display ur stuff here
?>
Post Reply