Force HTTP_AUTH?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
CaliberWebMedia
Forum Newbie
Posts: 4
Joined: Thu Nov 17, 2011 11:01 pm

Force HTTP_AUTH?

Post by CaliberWebMedia »

I have this application which has three directories:

/ajax/
/ckeditor/
/upload/

Which all have security holes. I can .htaccess these folders no problem.

However, when a user logs into my application and tries to use any of these functions in said directories the application prompts for user/pass.

1. I know I can force the user/pass like so: <form action="http://user:pass@domain.com/cp/upload/php/index.php" method="POST">, but of course this exposes the username and password.

So, what I'm wondering: is it possible when my users log in to my application I can somehow log the users into the password protected directories too? Possibly using $_SERVER and $_SESSION vars? It just seems so much more "user friendly" to have them only log in once instead of prompting for a pw all the time.

Otherwise, I believe my application to be pretty secure.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Force HTTP_AUTH?

Post by Mordred »

1. You should add authorization checks to your asynchronously accessed PHP code just like in any other PHP code you expose. There's no need to use a different authentication mechanism than the one you already use for your 'main' site anyway.
2. Depending on what your "security holes" in these directories are, this might not help entirely - you need protection against malicious authenticated users as much as you need protection against 'anonymous' ones
Post Reply