I'm attempting to implement user authentication using HTTP on an apache server (that isn't my own). The plan is that if a user successfully authenticates, they're directed from a page outside the restricted folder to one that is. I've made appropriate .htaccess files to restrict directories, and .htpasswd files to allow users in. From the many examples out there, I understand calling
header('WWW-Authenticate...
header('HTTP...
, grabbing the $_SERVER['PHP_AUTH_... variables, and comparing those against the username/password combinations in a database. What I don't understand, and haven't seen addressed, though, is this: what happens when a new user needs to be added? It's easy to add a new username/password to the database, but getting to an HTTP-restricted page also requires that the new username/password combination be in the appropriate .htpasswd file. If that's the case, it seems like I need to update .htpasswd every time I add a new user, which seems to defeat the purpose of using a database in the first place. Is there something I'm missing?
Thank you in advance for your time.
User authentication using db when new user added
Moderator: General Moderators
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: User authentication using db when new user added
You restrict access with a .htaccess file or with the use of a database. You dont use both.
Using a .htaccess file is easier to implement but not as flexible as a user table in the database.
Using a .htaccess file is easier to implement but not as flexible as a user table in the database.
Re: User authentication using db when new user added
Ah. OK, that helps, but the reason I needed .htaccess and .htpasswd was to keep users from getting to my restricted html files by just typing in the name of the appropriate folder as a URL. For example, in my case, I start users out at
/dir/login.php
and authentication should get them to
/dir/protected/protected_start.php
If I don't use .ht*, how do I stop this? And more importantly, how do I make sure that whatever solution that does stop this still allows php to get to those restricted files/folders? (I'm using ob_start(), ob_end_flush(), and header() to redirect.)
/dir/login.php
and authentication should get them to
/dir/protected/protected_start.php
If I don't use .ht*, how do I stop this? And more importantly, how do I make sure that whatever solution that does stop this still allows php to get to those restricted files/folders? (I'm using ob_start(), ob_end_flush(), and header() to redirect.)
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: User authentication using db when new user added
At the top of the pages you want secure have a function that checks to make sure the user has logged in correctly and if not fires them back to the login page - so the page does not even get built unless the user is allow to view the page.
Re: User authentication using db when new user added
Or, you could check the referer variable.
if($_SERVER['HTTP_REFERER'] != "protected/protected_start.php") { then redirect them to an error page;}
if($_SERVER['HTTP_REFERER'] != "protected/protected_start.php") { then redirect them to an error page;}
Last edited by ody3307 on Fri Aug 01, 2008 5:33 pm, edited 1 time in total.
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: User authentication using db when new user added
Thats not really secure. I would set a variable after the user logs in and then check it on the following page, this will allow you to expand the system in the future.
Re: User authentication using db when new user added
That should do the trick. Thanks for the help!