URL redirection & PHP Authentication.

Anon

I want to force users (browsers) who are navigating thru my directories to be redirected to a PHP file where I do some DB Authentication.

If they are successfull (i.e. they are in my D😎 - I use $REQUEST_URI (or something similar) to take them to the chosen directory or file they requested in the first place in the knowledge that they are a valid user, OR I deny them the ability to view a directory/file they are not authorized to view.

Ideally I need something similar to Apache mod_alias (Alias) but it redirects for all files and directories under a stipulated directory to go via my PHP file.

Do I need to get involved in mod_rewrite??

I am trying to force security on directories and files by comparing a user and the directory they are in via a DB Table (the user and a list of directories they have been granted access to is in the D😎.

Any ideas/examples appreciated.

Joe.

Anon

Personally, I don't mess around with re-direction to auth pages. Instead, I create an authorization function that does the heavy work and then require() it on any pages that need to be authorized.

+++++++++++++++++++++++++++++++
EXAMPLE:

<?PHP

require('mod_auth.php');
$authtext = mod_auth();

if ($authtext) {
print $authtext;
}
else {
//
// put all your regular page stuff here
//
}

?>
+++++++++++++++++++++++++++++++

In the above example, the protected page calls a function named mod_auth(). This function does the actual user authorization. The function checks if the page was called from a 'post' operation (ie a form), which button on the form was pressed, and performs the appropriate action.

The first time the page is being requested, the request method is 'get' so the mod_auth() function returns the HTML of a sign on form; $authtext is not blank, and the example above would display the signon form to the user.

When the user enters the signon information and clicks the 'submit' button, the form calls the same page again (PHP_SELF). This time mod_auth() knows what form and submit button was pressed and performs the database authentication.

If the authentication is successful, mod_auth() returns nothing and the example above drops through to display the protected page.

If the authentication fails, mod_auth() returns the text of an error or 'not authorized' page. Again, $authtext is not blank so the error or 'not authorized' page is displayed to the user instead of the protected page.

The mod_auth() function can be enhanced to handle other things like "forgot password" and "sign up" functions as well. Also, such an authorization function must be used with some type of session handling so the user doesn't have to re-enter userid and password for every protected page or refresh.

-- Rich Rijnders
-- Irvine, CA US

Anon

Thanks for your help Richard,

I get what your saying, however, the users themselves are able to post images etc. in their directories, so, If I don't want other users to nosy at a user's private files I need to authenticate without the use of a 'require' - (I think).
Am I talking sense?? Is this correct?? Am I missing something obvious??

Is there a nifty thing you can do by placing a .htaccess at the root of the user's area to point to my validation script??

cheers,

Joe.

Anon

You can surely limit *all access to a directory through your 'access.conf' file. You would need to add something like:

#------------------------------------------------------
#-- Secure User Directory
#------------------------------------------------------
<Directory /usr/local/etc/httpd/htdocs/mysite/johndoe>
AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null
AuthName johndoedirectory
AuthType Basic

<Limit GET>
require user johndoeuserid
</Limit>

</Directory>

...to your access.conf file (assuming you are using a *nix OS and Apache). You also would need to add the user id for john doe and a password to your .htpasswd file.

This method works fine if you want to keep the entire directory private from everyone except John Doe. Keep in mind that this will also keep anyone from being able to VIEW web pages in that directory without the user id and password.

Is that what you are trying to accomplish, or are you trying to create a method of allowing users to update what other people can see when they visit his/her website directory? That is a more complex issue...

-- Rich Rijnders
-- Irvine, CA US