.htaccess

Anon

I've got a site with a admin folder in it, which i want to protects as good as i can. What i do now is log in via a from by entering username and password, and it auth. against a mysql-database....and creates a cookie on the client computer with username/password for the database if it's the right login. This does'nt work to good, cause you can still access the HTML docs under the admin folder as long as you know the URL. What i wanted to do is to use a .htaccess file for the login, and take away the form-login. In order to do that i need to take care of the username and password so that i can use the same U/P for database-connections...like putting them in a cookie or something. Is there any way of doing this??

Anon

Instead of using a .htaccess file, you can send authentication header requests with PHP. Send the headers before any text is outputted (unless you have PHP4 with output_buffering turned on in you php.ini file)

if(!isset($PHP_AUTH_USER))
{
Header("WWW-authenticate: basic realm=\"Complain\"");
Header("HTTP/1.0 401 Unauthorized");
}
else
{
// connect to database here

// $PHP_AUTH_USER is the username returned by the authentication box
$username = $PHP_AUTH_USER;
// $PHP_AUTH_PW is the password
$password = $PHP_AUTH_PW;

$query = "SELECT * FROM table WHERE username='$username' AND password='$password'";
}

Anon

This is maybe a realy lame question, but.....i see what the file does, but i'm not quite clear on how to use it. I mean, the .htaccess file is initialized when you enter a certain folder, but how do i make it so this code initialize when i write like : http://www.somedomain.com/admin ??

Anon

Well, forget about .htaccess file.
and stick to Sessions and header ('www-auth.')

Anon

Okay, forgive me here, but I'm essentially trying to do the same thing as Bouche. I know next-to-nothing about PHP -- I'm basically looking up what I need as I need it for what I'm doing. I know what the .htaccess file does, but how does the PHP authentication code Ethan wrote check whenever someone attempts to enter a directory by directly typing in the URL? Is the code supposed to go in every single file? That seems like a bit of a blunt hammer approach.

Hm, there are includes...

Anon

This isn't code for the .htaccess file. It's code for a php script. You would need to include that file in every page you wanted to be password protected. If they have authenticated once, it shouldn't as for the username and password again. If you wanted them to authenticate when typing in a directory, you would probably want to just have a directory index file including the authentication code. The code provided has absolutely nothing to do with a .htaccess file. It just mimics what the .htaccess file does inside of php (sends authentication headers), so you can integrate it with a database system.

Ethan

Anon

Hey, I'm clueless, but I'm not that clueless. 😉

I was aware it was PHP code, I just figured that it only authenticated for the page it was on, and was apparently correct that it had to be in each page.

Thanks, though. It will make this project much easier. Kudos to all you hard workers at csoft.

Anon

I see that Authentification header are good to protect pages. But how can you use it to protect files from being downloaded directly.

Eg: www.mydomain.com/secure/resume.pdf

What is the best solution to protect this file? .htaccess?

Is it possible to combine .htaccess and authentification headers to ask for the username/password (stored in a database) only once ?

Anon

I am trying to figure out that same issue. I have a file that is in a directory. The problem is that if someone knows the direct URL to the file, they can get it directly. PHP authentication methods control access to all PHP files, so I don't use htaccess, but I have to use htaccess to protect the file in the directory. Catch-22. So how can I use an authenticated php user to pass http authentication to a realm without having the user log in again....?

Thanks

fotakis

Ok this thread is quite old, but I am stuck in the following. I am able to secure my php files, but in my administration pages, a user can add and remover files. The problem is that I have the folder to 757 mode. Isn't there anyway so that when an administrator logs in, he can have write access, where as if a normal user logs in, they can only have read access?

Is this done with .htaccess?

Thanks in advance,
Fotis

Anon

Hi!!!!!!
This session was good but what if I want to protect a directory.
For eg. if someone knows the path he can get to know all the files in the directory.

www.india.com/dir/

One method to solve this is a create a file called index.htm in that Directory called dir.
How to protect that Directory using .htaccess.
This I want to know for the heck of it.
So pls mail me.

Thanks in advance

regrads
me