[Resolved] Securig an existing site

ksandom

I have been given the task of making user management of an existing site more automated. In the past, the owner has used .htaccess files to determine who can and can not enter the members area. But as you can probably imagine as the site is growing, this is loosing it's feasibility.

The issue which is making this a challenge is that the site is built on a huge number of .shtml pages, so converting them to something else would be a nightmare. This means if there is an option that would allow the current stucture to work, then this would be best.

I have implemented a very temporary solution using tables and a small database. It's incredibly easy to bypass so something better needs to be done.

Since he's had success with .htaccess in the past, I was wondering if there was some way of making php work well with .htaccess in controlling who can and can not login. Ultimatley, I would like to have it controlled by the DB since it is easily managed.

I've considered making the program build a .htaccess file from the DB. This seems feasible, but also breakable. If neccessary I will do it, but I'm sure there must be a cleaner way.

I was wondering about ini_set but I'm not sure if that's going to work. It looks like something that might work but may be fidely and hard to diagnose(early impression).

I also was wondering about $_SERVER. But I think this is even more of a shot in the dark.

This post (right at the bottom), sparked my thoughts on making php and .htaccess work together.

Any thoughts? Any ideas that are cleaner that generating the .htaccess files?

Thanks in advance. 🙂

weekender

seems like you've done your research.

the first thing that occured to me is to use sessions. But what about all the .shtml files, i hear you ask!

create a file that does session_start, and checks whether certain vars are set to see if the user is logged in.

In httpd.conf (or .htaccess), set php to parse .shtml files as well as php files.

In php.ini, set the auto.prepend_file variable to prepend your session file to all files parsed.

Then a user logs in using a php page, then every time he goes to a .shtml or .php page, the session will be continued and security maintained.

adam

ksandom

Thanks for that. I've found the "auto.prepend_file" in the php.ini on my test server, however I'm pretty sure I don't have access to the php.ini file on the production server (physically located elsewhere and we only have a basic web interface to administer it. It's hired and thus shared by other people). Any thoughts on setting it without touching the php.ini file?

I'm wondering if this option may be set in a .htaccess file. I'm guessing not, but if it's possible I'm very interested.

Another thought I had was to use ini_set(posted in previous post), however one of the things that was mentioned on the page I linked to is that the settings only remain while the script that set them is running, meaning that anything that happens before the script is run (ie prepending something) isn't going to have an effect. So I don't think ini_set is going to help.

Any more thoughts?

Thanks very much for your help so far.

drawmack

if it's already using shtml and redoing the entire site is not an option then just go to one of the files that is included on every page (like the header) and put a call in to a perl script that does the authentication from a database. Actually if he's already using htaccess then you should just be able to rewrite that code.

ksandom

ok, thanks for the thoughts. I'm thinking I'll go with periodically generating a new .htaccess file (when ever there are changes). I don't like the messeyness of it, but for an existing site, I think it will have to do.

I'll leave this thread unresolved for one more day, just in case there's any more ideas that are worth while.

Thanks very much for the help. 😃

ksandom

This aspect is all going. This tutorial helped as suggested in this thread.

Thanks all for the help.