Page 1 of 1

bypassing HTTP authentication with PHP

Posted: Fri Feb 21, 2003 1:33 pm
by decoy1
I have a particular directory that I want to password protect to prevent accessing it by typing the path in a browser.

However, I would like to be able to let visitors of my site view the contents of the directory, but only via links on my site. Is it possible to bypass the HTTP authentication with something like this...

Code: Select all

if($HTTP_REFERER) 
{ 
  //set $PHP_AUTH_USER and $PHP_AUTH_PW with the correct username and password 
} 
else 
{ 
  // throw up username/password box 
  header('WWW-Authenticate: Basic realm="Restricted"'); 
  header('HTTP/1.0 401 Unauthorized'); 
  echo 'Authorization Required'; 
  exit(); 
}
I figured that I could include something like this on the page with links to files in the protected directory to ensure that they are coming from my domain. If they are, I can set the $PHP_AUTH_USER and $PHP_AUTH_PW globals with the proper credentials and let'em in, otherwise .htaccess would protect it from outsiders.

I think I could solve this by using access control (order, allow, deny) on the server, but I don't have access.

Anyone done something like this or have any input?

Thanks :)

Posted: Fri Feb 21, 2003 7:34 pm
by McGruff
A quick and somewhat uninformed answer is that referrer can't be trusted. It can be altered, I think.

Hopefully someone who knows more than me can tell you more.

Posted: Fri Feb 21, 2003 10:21 pm
by decoy1
Yeah, I really only needed something secure enough to dissuade maybe the not so experienced, curious types from snooping around. The files in the directory I want protected are fully accessable anyway, I just wanted to force them through the front door to be able to track users, target ads, etc.

Having said all that, I've come up with several other checks that do make it more secure if need be.

I kinda wanted to know if this was something others had done because I hadn't seen it before.

Thanks

Posted: Sat Feb 22, 2003 1:41 am
by lazy_yogi
You could do it with sessions

From your page, set a session
then from other pages :
if session was set, display it .. else display some otherpage


put this into your main page with the links
... must be at the top with not spaces before the <?

Code: Select all

<?
       session_start(); 
       $_SESSION&#1111;'logged_in'] = 1; 
?>
put this in your other pages :

Code: Select all

<?
      session_start(); 
      if(! $_SESSION&#1111;'logged_in']) &#123; 
               display default page
              exit;
      &#125;

       display ur stuff here
?>