Page 1 of 1

php HTTP authorize without prompt box

Posted: Sat Feb 18, 2006 7:02 pm
by knagode
Hi!

I wonder if there is a posibillity to authorize user (using something like HTTP authorization) to view secured folder without to type username and password into prompt box.

e.g.: On server I have folder which require authorization. I also have some script lik login.php (outhiside restricted folder ofcourse). Now I would like do something like that:

if($_POST["user"]="bla bla" && $_POST["pass"]=="bla bla"){
authorize_user_for_restricted_folder("username", "password");
}




One simple way to do this is open url like http://user:pass@domainname.com with user/pass but it than - it bothers me as browser is telling me that i will authorize.


Someone know good solution?


p.s. something like getfile.php?file=img.jpg wouldn't go in my case.

Posted: Sat Feb 18, 2006 7:10 pm
by josh
You can mod_rewrite stuff to go through a script that uses PHP sessions

Posted: Sat Feb 18, 2006 7:43 pm
by knagode
Yep. It is good solution but i don't like it as it works only on apache.

I wonder if my problem could be solved with header();

Posted: Sat Feb 18, 2006 8:20 pm
by josh
You could put PHP directly in each file as long as you send the right content-type headers (and have PHP parse those file extensions)

Posted: Sun Feb 19, 2006 7:29 am
by AGISB
If you don't want to use the http authorisation stuff you need to place the authorisation routines in each and every file in that directory

Posted: Sun Feb 19, 2006 9:08 am
by knagode
I have solved my problme using javascript. I use window.XMLHttpRequest and then i am calling url with username and password.
It is working fine and simple 8)

Posted: Sun Feb 19, 2006 4:04 pm
by jmut
knagode wrote:I have solved my problme using javascript. I use window.XMLHttpRequest and then i am calling url with username and password.
It is working fine and simple 8)
What happens if I turn off my javascript?

Posted: Sun Feb 19, 2006 5:38 pm
by knagode
I actually needed this to make some javascripts more safer and this script is not for all users - only for administrators. :wink:

Posted: Mon Feb 20, 2006 12:07 am
by AGISB
Administrators or not. Javascript is a very bad idea when it comes to security. It can help but you cannot rely on it. The administrators are the ones that most likely have the scripting off.

Posted: Sun Mar 05, 2006 6:23 pm
by knagode
Hi again!

I agree that it is not the safest way but in my example it is the best - no matter how funny this sounds :D


Script now works cool on Firefox but I have problems on IE.

I have found up that urls with username and password don't work in IE:

e.g. http://user:pass@www.page.com/password_proteded_folder/index.html


And becouse of this... my script is worthless ... Someone knows how could i fix this problem?

Is there isn't possibility to set username and password using header()?

Posted: Mon Mar 06, 2006 12:54 am
by AGISB
The feature to place usernames and password in the URL was disabled for security reasons. This is so insecure that it puzzles me that you even think about using something like this.

Here is an example

you log in your admin with http://user:pass@mydomain.com

after surfing the site he goes directly to:

hisfavouritepornsite.com

now the referer shows up in the logs of hisfavouritepornsite.com and guess what it shows:

http://user:pass@mydomain.com

and you now have at least one admin to be able to log into your admin section which you probably want to avoid by all costs.

Posted: Mon Mar 06, 2006 1:00 am
by feyd
That's only if a page on mydomain.com links to an external site and he has referral transmission on AGISB.