Page 1 of 1

User authentication using db when new user added

Posted: Fri Aug 01, 2008 3:25 pm
by jonmack3
I'm attempting to implement user authentication using HTTP on an apache server (that isn't my own). The plan is that if a user successfully authenticates, they're directed from a page outside the restricted folder to one that is. I've made appropriate .htaccess files to restrict directories, and .htpasswd files to allow users in. From the many examples out there, I understand calling

header('WWW-Authenticate...
header('HTTP...

, grabbing the $_SERVER['PHP_AUTH_... variables, and comparing those against the username/password combinations in a database. What I don't understand, and haven't seen addressed, though, is this: what happens when a new user needs to be added? It's easy to add a new username/password to the database, but getting to an HTTP-restricted page also requires that the new username/password combination be in the appropriate .htpasswd file. If that's the case, it seems like I need to update .htpasswd every time I add a new user, which seems to defeat the purpose of using a database in the first place. Is there something I'm missing?

Thank you in advance for your time.

Re: User authentication using db when new user added

Posted: Fri Aug 01, 2008 4:20 pm
by jaoudestudios
You restrict access with a .htaccess file or with the use of a database. You dont use both.

Using a .htaccess file is easier to implement but not as flexible as a user table in the database.

Re: User authentication using db when new user added

Posted: Fri Aug 01, 2008 4:33 pm
by jonmack3
Ah. OK, that helps, but the reason I needed .htaccess and .htpasswd was to keep users from getting to my restricted html files by just typing in the name of the appropriate folder as a URL. For example, in my case, I start users out at

/dir/login.php

and authentication should get them to

/dir/protected/protected_start.php

If I don't use .ht*, how do I stop this? And more importantly, how do I make sure that whatever solution that does stop this still allows php to get to those restricted files/folders? (I'm using ob_start(), ob_end_flush(), and header() to redirect.)

Re: User authentication using db when new user added

Posted: Fri Aug 01, 2008 5:04 pm
by jaoudestudios
At the top of the pages you want secure have a function that checks to make sure the user has logged in correctly and if not fires them back to the login page - so the page does not even get built unless the user is allow to view the page.

Re: User authentication using db when new user added

Posted: Fri Aug 01, 2008 5:16 pm
by ody3307
Or, you could check the referer variable.
if($_SERVER['HTTP_REFERER'] != "protected/protected_start.php") { then redirect them to an error page;}

Re: User authentication using db when new user added

Posted: Fri Aug 01, 2008 5:20 pm
by jaoudestudios
Thats not really secure. I would set a variable after the user logs in and then check it on the following page, this will allow you to expand the system in the future.

Re: User authentication using db when new user added

Posted: Sat Aug 02, 2008 6:01 pm
by jonmack3
That should do the trick. Thanks for the help!