Page 1 of 1

Force HTTP_AUTH?

Posted: Fri Jan 20, 2012 9:01 am
by CaliberWebMedia
I have this application which has three directories:

/ajax/
/ckeditor/
/upload/

Which all have security holes. I can .htaccess these folders no problem.

However, when a user logs into my application and tries to use any of these functions in said directories the application prompts for user/pass.

1. I know I can force the user/pass like so: <form action="http://user:pass@domain.com/cp/upload/php/index.php" method="POST">, but of course this exposes the username and password.

So, what I'm wondering: is it possible when my users log in to my application I can somehow log the users into the password protected directories too? Possibly using $_SERVER and $_SESSION vars? It just seems so much more "user friendly" to have them only log in once instead of prompting for a pw all the time.

Otherwise, I believe my application to be pretty secure.

Re: Force HTTP_AUTH?

Posted: Sat Jan 21, 2012 7:15 am
by Mordred
1. You should add authorization checks to your asynchronously accessed PHP code just like in any other PHP code you expose. There's no need to use a different authentication mechanism than the one you already use for your 'main' site anyway.
2. Depending on what your "security holes" in these directories are, this might not help entirely - you need protection against malicious authenticated users as much as you need protection against 'anonymous' ones