Mixing PHP/.htaccess

Anon

Hi all,

I would like to have a login form whereby the user can enter their login details, rather than the Authentication box normally associated with .htaccess. Is there any way the information entered can be used by apache to authenticate afterwards?

e.g. say /downloads/ was protected by .htaccess. The user could go to /login.php and fill in a form containing their username and password. This could then forward them to /downloads/ and the authentication would be automatic.

Is it just a case of setting $REMOTE_USER or some other env. variable?

Anon

Hi,

Though your post is rather old, I did not see any reply to it! Did you finally come up with a solution?
I would be very interested...
Thanks
Marc

Anon

I too would like to know if any one could answer this question.... I want to have a user logon with PHP authent. and then be able to access directories that were protected by .htaccess

Any ideas?

Anon

I don't think that this can be done in the way that you suggest, However, I am sure that you can put all your users into MYSQL and have php a .htpasswd / .htaccess file using passthru(htpasswd) fopen() and fread(). Each time the database is changed using the app, the .htaccess / .htpasswd file is re-written..

Pretty messy but this is the way that I had to end up doing it..

Anon

Yes, I meet the same problem. Does php support that?

Anon

Why dont you do ALL the authentication using PHP, and a database
And then use a .htaccess file to auto_prepend the Security script to the folder you want protected.

This will enable you to have a nice looking log in and if you use MD5 encryption it will be virtualy uncrackable

opido

PHP only protects PHP files, I had a similar problem and ended up making .htaccess into one of the types that is parsed by PHP (remember, you could be trying to secure other media, like .jpg/.asf/.exe), worked pretty well and I no longer needed to use the prepend, just make sure you know how to use .htaccess

-Stephen VanDyke

Anon

Any information on how you made php parse the the .htaccess in apache. and what to do next ?

any examples of code you used would be very helpfull

TIA
Neil

Anon

<?php

$auth = false; // Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Read the entire file into the variable $file_contents 

$filename = '/path/to/.htpasswd'; 
$fp = fopen( $filename, 'r' ); 
$file_contents = fread( $fp, filesize( $filename ) ); 
fclose( $fp ); 

// Place the individual lines from the file contents into an array. 

$lines = explode ( "\n", $file_contents ); 

// Split each of the lines into a username and a password pair 
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW. 

foreach ( $lines as $line ) { 

    list( $username, $password ) = explode( ':', $line ); 

    if ( $username == "$PHP_AUTH_USER" ) { 

        // Get the salt from $password. It is always the first 
        // two characters of a DES-encrypted string. 

        $salt = substr( $password , 0 , 2 ); 

        // Encrypt $PHP_AUTH_PW based on $salt 

        $enc_pw = crypt( $PHP_AUTH_PW, $salt ); 

        if ( $password == "$enc_pw" ) { 

            // A match is found, meaning the user is authenticated. 
            // Stop the search. 

            $auth = true; 
            break; 

        } 

    } 
}

}

if ( ! $auth ) {

header( 'WWW-Authenticate: Basic realm="Private"' ); 
header( 'HTTP/1.0 401 Unauthorized' ); 
echo 'Authorization Required.'; 
exit;

} else {

echo '<P>You are authorized!</P>';

}

Anon

I've been thinking. Wouldn't it be possible to create just one account which the main php script is able to use?

What I'm saying is the users id and password are still managed using the database. The main php script will be used to authenticate users and if successful, will itself authenticate with the .htpasswd file and therefore give the user directory access.

User logs in --> Script authenticates --> Script logs in on behalf of user --> User has given access to directory

Anon

I don't know how you would do it. That is what I was orginally trying to do...

Any ideas on how?

Anon

Hate to add another "me too" here, but this is exactly what I'm trying to do and haven't figured out a good way of doing. I have a MySQL-based database of users which I access from PHP, but I want to protect whole directories -- in case someone knows the actual full URL to the file -- as well as just, say, index.php.

jtnix

I have been trying to figure this one out also, and unfortunately I don’t think it’s possible. Here’s why:

What we want to do is basically replace the HTTP WWW-Authentication method with something serverside. What we need is a way to supplant the information that would normally be sent by a browser ( Specifically, the Authorization header ) to the Webserver along with the GET request, with our own authentication information. Unfortunately, I don’t see any way of doing this with the existing PHP function-set or Apache modules. Special hooks would also need to be designed in Apache to supply it with a username/password for the mod_auth module from an external source. This would not be a simple task as I’m sure many security issues would need to be taken into consideration.

That leaves us with 2 choices for combining Apache’s .htaccess security with our own website’s security:

1) Send our own 401 header with WWW-Authenticate headers, get the results, validate them with our database and the htaccess privileges will be set at the same time. Many examples of this exist on this site, and others – including the PHP documentation. ($PHP_AUTH_USER and $PHP_AUTH_PW are only set by PHP after a successful Apache htaccess request has been made. Setting these variables manually ourselves isn’t going to propagate them back to Apache.)

2) Set up a daemon or scheduled program to populate htpasswd files for each protected directory (depending on content or subscribed services, perhaps) with the usernames and crypt()ed passwords from our custom user database. How you want to do this is up to you. Since the htpasswd file uses the standard system crypt() function (and can also use MD5, if you’ve set up your server that way) - as long as you used the same scheme to protect your users passwords, all that is needed is a simple select from the database outputted properly to an htpasswd text file. This process will still require the user to re-enter his same login/password when he first accesses the protected area.

Neither of these offer an elegant solution to content protection, however this is security and if your files are important or valuable, elegance will have to take second place. Out of the two I have seen the second one in use the most, and makes the most sense to me.

I’m sure the PHP Dev team could develop a function that would pass this information securely to the Apache server – perhaps we could all encourage them too. Until then, we’re stuck with the old-fashioned htaccess method.

Don’t forget, there are many other ways of protecting your content from being harvested by anyone, but you have to be creative – i.e. create softlinks to files outside the general HTML tree as they are requested and clean them up later. Some websites actually dynamically allow individual clients IP level access to certain areas only after they have logged in, disabling the IP’s later, after a timeout period has expired.

Joe T.