Page 1 of 1
php + http authentication
Posted: Mon Mar 27, 2006 9:47 am
by haora
Hi all, so here is my problem:
For the last few days I've been trying to duplicate the cPanel's login style..., what do I mean by this?, well, for what I understand, cPanel uses .htaccess to protect the private files, until the user logs in..., BUT you can also login trough a login form....
My problem comes when I try to login using that form..., because I can't find a way, once I've determined that the username and password match (using php with the htpasswd file), to tell htaccess that the user is logged...
Do I make any sence???
If not just ask, and I will try to clafiry things...
Thanks in advance!!!
Haora
Posted: Mon Mar 27, 2006 9:58 am
by Nathaniel
Posted: Mon Mar 27, 2006 10:13 am
by haora
Thanks for the quick response, but the thing is..., in the php manual, it talks about using a php page to ask the username and password, by sending a header...., what I want, is to use a HTML form, and use the information entered by the user, to authenticate him/her with the htaccess...
Posted: Mon Mar 27, 2006 11:36 am
by haora
No one has any thouths on this???, I'm dying here people!!!, ANY ideas on how cPanel can make the html login form work with the htaccess???
The only thing I've found is using: login:
password@myserver.com, but this approach doesn't work with IE...., what can I do???
Thanks[/quote]
Posted: Mon Mar 27, 2006 6:48 pm
by danf_1979
Maybe you should ask in the #apache channel in irc.freenode.net. I would say it's an apache module, but who knows for sure...
Posted: Tue Mar 28, 2006 10:41 am
by pickle
After logging in via .htaccess file, dump your $_SESSION and $_COOKIE variables to see if they're populated.
Posted: Tue Mar 28, 2006 11:31 am
by haora
pickle wrote:After logging in via .htaccess file, dump your $_SESSION and $_COOKIE variables to see if they're populated.
My problem is with the other way, not after you log in via .htaccess, but after you login via a html form...., I've learned now, that you can access cookies from your .htaccess files, so what I'm doing now, is this:
- I log in from my html form, and set a cookie.
- Then, I put this in my .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_COOKIE} !^.*loggedin=1.*$
RewriteRule .*$
http://myserver.com/login.html
For what I understand, that should tell htaccess to check for the cookie and if it doesn' contain: "loggedin=1", then redirect the user, to the login form, right???
The problem is, that it isn't working, using IEWatch, I can see, that if I enter the correct log in information, and the cookie is set, I can't access the protected folders 'cause htaccess is redirectingme back to the login form....
Any ideas???
Thanks for all the replys!
Haora
Posted: Tue Mar 28, 2006 12:39 pm
by feyd
Why not just make this a php file? PHP can generate the "htaccess" login prompt and it can generate the HTML one too, all in the same script.
Posted: Tue Mar 28, 2006 12:52 pm
by haora
feyd wrote:Why not just make this a php file? PHP can generate the "htaccess" login prompt and it can generate the HTML one too, all in the same script.
Yeah, I know, the problem, is that when I try to access an image (for instance), inside the protected directory, I should not be able to see it unless I'm logged in into the system.....
EDIT: It might be important to note that the .htaccess file is inside the directory: html, and the login form, is inside the directory, login, which is at the same level than "html", because maybe the problem is with the RewriteRule.....
Posted: Tue Mar 28, 2006 1:04 pm
by feyd
You can force that to happen by not allowing anyone direct linking to the images or by using a rewrite in the htaccess that runs all queries through the interface script.
Posted: Tue Mar 28, 2006 1:22 pm
by haora
feyd wrote:You can force that to happen by not allowing anyone direct linking to the images or by using a rewrite in the htaccess that runs all queries through the interface script.
How would that be?, I'm not very good with the regexps and htaccess...., right now I'm trying to specify a RewriteRule that checks if I'm in the "login" directory, so if I'm not, it redirects me back to /login/login.php.....but I can't find the right regexp...
I would really appreciate your help in this matter...
Thanks again!
Haora
Posted: Wed Mar 29, 2006 12:47 pm
by haora
Well, for anyone who es interested or has a similar problem, I will post the solution I found:
The .htaccess file, would look something like this:
Code: Select all
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_URI} .*/security/secureForlder/.* [NC]
RewriteCond %{HTTP_COOKIE] !^.*nameOfCookie=conditionForGrantedAccess.*$
RewriteRule .* /security/login/login.php [L]
This says:
IF you're in a secured folder AND you do not have the cookie (that should be set once you are correctly logged in) THEN redirect the user
to the login page.
Otherwise it does nothing...., that way if you entered the correct login information, and the cookie was set, you can visit any page/image/file inside the secured folders...
One more thing, the ".htaccess" file is inside the "security" folder, and as you can see, the "login" folder is not secured....
Well, thanks for all the help, and hopefully this will be usefull for someone else some day....
