Users authentication and security issues

fabiuz

Hi,

I made a php script who act directly on Unix access files to add and remove user from a folder.

Now I am going to put a "login form" on a web page: only authorized users should be able to go inside the protected area.

What I am thinking to do is to point the form to a .php3 file where I will check the typed user name and password using a MySQL database (where data is equal to Unix data).

If the user is OK then I will redirect the page to the right path using an header like this:

http://username:password@www.domain.com/folder

else the user is redirected to the same page whit an error message.

Do you think this is a good way for my purpose?

Any other solutions or suggestions ?

I have made all this work because I want to protect all the files inside that folder.

Any comment and suggestion about will be higly appreciated.

Thanks

Fabio

php4hosting

One way is :-
http://www.php4hosting.com/devshed

Regards
Darren
http://www.php4hosting.com/

fabiuz

Yes, thanks for the link !

Anyway, my main trouble was not related to the mysql code, but to the way to log the user without the need to type user name and password in the Explore pop up window.

Passing that info using:

http://user:passwd@domain.com/folder

I solve the problem...but I am not shure that this is the most safe way.

Ideas about ?

Thanks

Anon

I am ASP PL, I gave many solution and new concept in ASP with VB,
by seeing the php information, I understood that Php will act as servelet for JSP, Am i correct, if its so pl. send some samples to my address

thank u

with regard

vijayan

Anon

In ur case, when ur cancel the auth. dialog, then the redirect will break, but in the address link, u can see the 'http://username:password@www.domain.com/folder' which just show the username & password, how can u avoid this ? please tell me because I also need to maintain the access rights of some files (not page) in web directory.

Anon

I've been able to password protect a single page, but not entire files using PHP.

Is there anyone who has been able to successfully address this? Is there some trick available through MySQL?

Anon

Maybe I'm doing something wrong, but by NOT entering a login or password and just pressing the'Enter key it shows me the list of users and NOT the incorrect login text.

mickro

You can put the authentication script in an include file and include it on all pages you want to protect.

Mike
www.digitalegg.net

php4hosting

A minor bug in the code, sorry. Fixed now

Darren

styler

I have copied the code from
http://www.php4hosting.com/devshed to see if it works but I do not get the pop up on my server, I only get the text "You must enter a valid login ID and password to access this resource" .

I am using PWS. Does anyone know if there is something I am missing.

Anon

This method only works when PHP is run as a module in Apache. It does not work with IIS or PWS.

Anon

This script does not work with people stuck on PHP3 servers. You can not send the Header information twice.

It falls apart when you call the "authenticate()" function for a second time.

What is the work-around?