I have this application which has three directories:
/ajax/
/ckeditor/
/upload/
Which all have security holes. I can .htaccess these folders no problem.
However, when a user logs into my application and tries to use any of these functions in said directories the application prompts for user/pass.
1. I know I can force the user/pass like so: <form action="http://user:pass@domain.com/cp/upload/php/index.php" method="POST">, but of course this exposes the username and password.
So, what I'm wondering: is it possible when my users log in to my application I can somehow log the users into the password protected directories too? Possibly using $_SERVER and $_SESSION vars? It just seems so much more "user friendly" to have them only log in once instead of prompting for a pw all the time.
Otherwise, I believe my application to be pretty secure.
Force HTTP_AUTH?
Moderator: General Moderators
Re: Force HTTP_AUTH?
1. You should add authorization checks to your asynchronously accessed PHP code just like in any other PHP code you expose. There's no need to use a different authentication mechanism than the one you already use for your 'main' site anyway.
2. Depending on what your "security holes" in these directories are, this might not help entirely - you need protection against malicious authenticated users as much as you need protection against 'anonymous' ones
2. Depending on what your "security holes" in these directories are, this might not help entirely - you need protection against malicious authenticated users as much as you need protection against 'anonymous' ones