User authentication using db when new user added

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jonmack3
Forum Newbie
Posts: 6
Joined: Wed Jul 30, 2008 6:12 pm

User authentication using db when new user added

Post by jonmack3 »

I'm attempting to implement user authentication using HTTP on an apache server (that isn't my own). The plan is that if a user successfully authenticates, they're directed from a page outside the restricted folder to one that is. I've made appropriate .htaccess files to restrict directories, and .htpasswd files to allow users in. From the many examples out there, I understand calling

header('WWW-Authenticate...
header('HTTP...

, grabbing the $_SERVER['PHP_AUTH_... variables, and comparing those against the username/password combinations in a database. What I don't understand, and haven't seen addressed, though, is this: what happens when a new user needs to be added? It's easy to add a new username/password to the database, but getting to an HTTP-restricted page also requires that the new username/password combination be in the appropriate .htpasswd file. If that's the case, it seems like I need to update .htpasswd every time I add a new user, which seems to defeat the purpose of using a database in the first place. Is there something I'm missing?

Thank you in advance for your time.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: User authentication using db when new user added

Post by jaoudestudios »

You restrict access with a .htaccess file or with the use of a database. You dont use both.

Using a .htaccess file is easier to implement but not as flexible as a user table in the database.
jonmack3
Forum Newbie
Posts: 6
Joined: Wed Jul 30, 2008 6:12 pm

Re: User authentication using db when new user added

Post by jonmack3 »

Ah. OK, that helps, but the reason I needed .htaccess and .htpasswd was to keep users from getting to my restricted html files by just typing in the name of the appropriate folder as a URL. For example, in my case, I start users out at

/dir/login.php

and authentication should get them to

/dir/protected/protected_start.php

If I don't use .ht*, how do I stop this? And more importantly, how do I make sure that whatever solution that does stop this still allows php to get to those restricted files/folders? (I'm using ob_start(), ob_end_flush(), and header() to redirect.)
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: User authentication using db when new user added

Post by jaoudestudios »

At the top of the pages you want secure have a function that checks to make sure the user has logged in correctly and if not fires them back to the login page - so the page does not even get built unless the user is allow to view the page.
ody3307
Forum Newbie
Posts: 21
Joined: Wed Jul 30, 2008 7:29 am

Re: User authentication using db when new user added

Post by ody3307 »

Or, you could check the referer variable.
if($_SERVER['HTTP_REFERER'] != "protected/protected_start.php") { then redirect them to an error page;}
Last edited by ody3307 on Fri Aug 01, 2008 5:33 pm, edited 1 time in total.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: User authentication using db when new user added

Post by jaoudestudios »

Thats not really secure. I would set a variable after the user logs in and then check it on the following page, this will allow you to expand the system in the future.
jonmack3
Forum Newbie
Posts: 6
Joined: Wed Jul 30, 2008 6:12 pm

Re: User authentication using db when new user added

Post by jonmack3 »

That should do the trick. Thanks for the help!
Post Reply