login page to an htaccess protected folder

ness_du_frat

Hello everybody !!!
I'm brand new to php, but I've seen what can be done with it, and I'm determined to learn this language, when I have enough time...
For now, I have a question. Something probably very simple, that's why I chosed to post in the newbie section.
On my website, I have a protected folder. It's protected by an .htaccess file. I'd like to bypass the ugly login window ( default authentification window ), and put my own login window, so that the people can login from the website, and not from an ugly gray box.
For the moment, I haven't found anything. I tried using javascript, but with the IE security update, the usual stuff doesn't work anymore.
On Google, I found out something could be done with php, but... I'm really beginning, you know, with the syntax and all, so I don't even know how to code a very simple function, much less seomthing as complicated as a login window...
I'd like to keep the .htaccess file, because in my folder, I have some images, pdf, word documents and all, and I think it's just easier to protect the all thing, so that nobody can get it form the url... But, .htaccess means ugly gray box...
So, does anyone know how to get rid of the gray box ?
I would be eternally gratefull to you if you could give me a hand on this one...
My website is on a server given by Free, my provider. It supports php, but not the .htpasswd thing. It also supports htaccess ( obviously ).
Thanks a lot for your help !!!
Ness

bradgrafelman

What you could do is set your htaccess to look like:

ORDER deny,allow
ALLOW FROM <IP you want unblocked>
ALLOW FROM <another IP you want unblocked>
DENY FROM ALL

(replacing the <>'s with IP's, EXCLUDING the < and > signs).

Next, just use your PHP script to load the files. Use include/require to display the files, etc.

I do this with my downloads script I made. I actually put the files in '/downloads/files/' and just deny access to that directory. Using my PHP script outside the files directory, I list the contents of ./files/ and then link to each file for download as "download.php?file=xxx.exe", etc.

ness_du_frat

Allowing the IP will be far too complicated. I have about 10 to 15 people I want to allow access too, and I want them to have access whereveer they are, not just from one computer...
Thanks for the suggestion !

krs1

I'm also a n00b, but wouldn't the includes bypass your settings since your servers getting the file?

ness_du_frat

I think I'm even more a n00b than you are... lol !!!
I don't know about that. I tried something with includes. ( a friend gave me a script ). The problem is, my server doesn't accept the .htpasswd. They modified Apache, and I'm restricted to their own way of doing the .htaccess file...
It's supposed to be like that :

PerlSetVar AuthFile secret/passlist
AuthName "Acces Restreint"
AuthType Basic
require valid-user

with "secret" ( or another name ) being the folder where you have the passworld list. I tried the .htpasswd, instead of passlist, but it didn't work at all....
It's really hard. I've been asking everywhere for a month, and nobody can help me... I'm desperate...
I tried javascript. It used to work, but they put a security update in IE, and now, it doesn't work anymore.
Right now, I have a script which works with FF, doesn't display the ugly box, but with IE, it does display it. This is ok, but I'd like something more "professional", but not as complicated as a membership login....

bradgrafelman

You misunderstood me.

The secret folder that contains all of your files would NEVER be accessed by your clients/viewers.

The ONLY thing accessing data inside this folder would be your PHP script. I only provided the "ALLOW" entries in case you yourself wanted to bypass the access block at home, for example. You can simply use "DENY FROM ALL" after the order statement, if you'd like.

Is there a problem with using a PHP script to include/output the data from files inside the directory? What type of data are you trying to protect here, and how is the user going to access it? Is it just a collection of files you are allowing the user to download from, etc. ?

ness_du_frat

What I'm exactly trying to do, is a very small member area. It will be accessible by some people, who will recieve a username and a password ( which will be the same for everyone ). What I don't want them being able to do, is just going to the folder via the adress bar, and downloading the files from there.
I'll have .doc, .jpg, .pdf files, mostly.
What I need is a login script, or something similar, which would bypass the popup box ( coming eith the .htaccess ) asking you for password and username.
But, my server is quite narrow-minded and doesn't allow lots of things...
So, bradgrafelman, if I understand you well, with this .htaccess file, nobody could get into my folders, but I wouldn't get the gray popup box either ? How do I set up the login page ?
Thanks a lot for your help !!!

krs1

Do you have access to MySql?

if so read my post "Log On Script..." .... that should be exactly what you need... just place: "include 'yourlink.php';" under: //successful login code will go here...

ness_du_frat

Seems cool !!!! I'll try that tomorrow... You think I can use the .htaccess or not ? Because if not, I have a javascript code which will do exactly the same... I had a look at the code, it seems really good, I'll tell you once I tried it !

krs1

Obviously you'll need to set up your MySql with a users table and the fields username and password!

Include the check login on the pages you want to protect and your set...... ( if forgot to put exit(); after i included my index.html if the user isn't logged on!)

you can still set your htaccess then and set it to disallow all... (your server needs the access thats it)

bradgrafelman

You can definitely use krs1's script, that's the direction I was heading.

I was suggesting you use an alternate method of checking usernames/passwords. Make your own HTML login page, and check it against a MySQL database (or even a flatfile database).

You could then read up on [man]readdir[/man] and [man]glob[/man] to list all files in a directory, add links to your script (i.e. "members.php?file=myfile.jpg") and use headers to send the file via your script.

NOTE: Using this method, you should do some validating and make SURE the file they wish to download is in the isolated download directory you specify. Don't want them downloading any and all files all over your site, now do we!

ness_du_frat

Ok, I'll try that, even if I'm not really sure if I can manage what you're talking about, bradgrafelman. Don't forget I'm a REAL newbie. My only knowledge in php is some very simple functions. I've just started to learn.
My problem is the .htaccess file. If I put it, it'll definately ask for the password. I had a script not very far from yours, krs1, checking the password and the username. But, it still asked for the password and username in the popup box, even though I had given them already...
My main problem is, it's not html pages I want to protect. I really don't care about someone stealing my html pages.

Here, I show you what my friend gave me. It works fine on his server, but his server accepts the .htpasswd thing, and crypted passwords, whereas mine doesn't seem to.

<? 
include("secret/ee_fonctions.php");
$pb=0;
if (isset($_POST["valid"])) {
	if ($_POST["valid"]==1) {
		$pb = check_id($_POST["login"], $_POST["pass"]);
	} 
} 
?>
<html>
<head>
<title>Ajouter un message pour l'Espace Entreprises de Farmer Corp ...</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="../../style.css" rel="stylesheet" type="text/css">
<script language="JavaScript">
function check(){
	var pattern = "^[ \n\t\r\f]*$";
	var option = "g";
	var reg=new RegExp(pattern, option);
	var pb = 0;
	var chaine = "Certains champs sont mal  remplis :\r\r";
	if (reg.test(document.id.login.value)) {
		pb = 1;
		chaine += "\t- votre login.\r";
	}
	var reg=new RegExp(pattern, option);
	if (reg.test(document.id.pass.value)) {
		pb = 1;
		chaine += "\t- votre mot de passe.\r";
	}
	if (pb) {
		chaine += "\rVous devez absolument les remplir pour vous identifier.";
		alert(chaine);
	} else {
		document.id.submit();
	}
}
</script>
</head>

<body class="soleil">
<table align="center" height="100%" width="100%" >
		<tr>
			<td width="100"></td>
			<td width="150"></td>
			<td width="269" height="5"></td>
			<td width="81"></td>
			<td width="100"></td>
		</tr>
		<tr class="baspage" valign="top">
			<td></td>
			<td class="paragraphe" colspan="2" height="5"><br>
			<img src="../../../images/gribouilli.gif" width="25" height="31" align="texttop">
			<span class="citation">Identifiez vous ...</span>
			</td>
			<td colspan="2" class="remarque"><br>
			<img src="../../../images/fleche_orange.gif" width="20" height="10">&nbsp;
			<a href="javascript:window.close()">Annuler</a>&nbsp;&nbsp;&nbsp;
			</td>
		</tr>
		<tr>
			<td colspan="2"></td>
			<td height="40" class="ajoutpb">
		<? 	switch($pb) {
				case 1 : echo "Votre login est invalide !";
							break;
				case 2 : echo "Votre mot de Passe est invalide !";
							break;
				case 3 : echo "Un problème est survenu lors de l'accès à votre compte ...<br>Contactez-moi : <a href=\"mailto:pot@efrei.fr\">ici</a>.";
							break;
			}
		?>
		</td></tr>
		<tr>
			<td></td>
			<td colspan="3" class="paragraphe">
			Veuillez entrer le login et mot de passe qui vous ont été transmis:
		</tr>
		<form action="index.php" method="post" enctype="multipart/form-data" name="id">
		<tr>
			<td></td>
			<td class="ajoutgauche">
			Login :&nbsp;
			</td>
			<td>
			<input type="hidden" id="valid" name="valid" value="1">
			<? 
			if ($pb == 2) {
				echo "<input type='text' id='login' name='login' size='20' maxlength='20' value='".$_POST["login"]."'>";
			} else {
				echo "<input type='text' id='login' name='login' size='20' maxlength='20'>";
			}
			?>
			</td>
		</tr>
		<tr>
			<td></td>
			<td class="ajoutgauche">
			Mot de Passe :&nbsp;
			</td>
			<td>
			<input type="password" id="pass" name="pass" size="20" maxlength="20">
			</td>
		</tr>
		<tr><td height="10"></td></tr>
		<tr>
			<td colspan="2" rowspan="2" valign="bottom" align="left">
			<img src="../../../images/fonds/soleil_gauche.gif" width="186" height="220" align="absbottom">
			</td>
			<td height="30"><input type="button" onClick="javascript:check();" class="bouton" value="S'identifier">
			</td>
		</tr>
		</form>
		<tr>
			<td height="156"></td>
            <td colspan="2" valign="bottom" align="right">
			<img src="../../../images/fonds/soleil_farmer.gif" width="181" height="100" align="absbottom">
			</td>
        </tr>
</table>
</td></tr>
</table>
</body>

</html>

this is the login page. The french things just say that you have to tner the password, or that it's not valid.

Here is the ee_fonctions.php :

function check_id($login, $pass) {
	$fp = fopen("secret/pass.tof","r");
	if (!$fp) {
		$pb=3;
	} else {
		$pb = 1;
		$verybrut = fread($fp, filesize("secret/pass.tof"));
		fclose ($fp);
		$brut = explode("|",$verybrut);
		for($i=0; $i < sizeof($brut); $i++) {
			$ident[$i] = explode("=",$brut[$i]);
			if (trim($login) == trim($ident[$i][0])) {
				if (trim($pass) == trim($ident[$i][1])) {
					header("Location: [url]http://[/url]".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/ajout.php");
				} else {
					$pb = 2;
				}	
			}
		}
	}
	return $pb;
}
?>

The index.php is located in a folder, protected by an .htaccess file looking like that :

AuthUserFile /users/promo2004/pot/public_html/pages/ferme/prive/secret/.htpasswd
AuthName User
AuthType Basic

<limit GET>
require valid-user
</Limit>

Then, you have this "secret" folder, where ee_fonctions.php is located. This one contains a .htaccess file ( deny from all ), a .htpasswd file with an encrypted password, and the pass.tof file, which contains the passwords, formated like that :

username=password|
username2=password2

It works fine for him ( the friend ), but for me it doesn't at all. Mainly because I have nooooooo idea why the .htpasswd contains a password and username not corresponding at all to the ones contained in pass.tof.... and my friend did that long ago, when he was in school, so he doesn't remember at all what he put in the .htpasswd thing...
But, his login is exactly what I'd like to achieve, because of the .htaccess file, which still protects all files from being navigated to....

Do you have any idea how it works ? ( because, checking the files, I don't understand how it can bypass the popup box by him, even if it does... )

krs1, I think your script is better than his, so I'm almost certainly going to use yours, but do you know how I could put the .htaccess in a way that wouldn't bring the ugly popup back ??? 🙁

Thanks for helping me, guys !!!!

bradgrafelman

Change:

                    header("Location: <a href="http://" target="_blank">[url]http://[/url]</a>".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/ajout.php");

to:

                    header('Location: <a href="http://' .$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/ajout.php" target="_blank">[url]http://[/url]</a>'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/ajout.php');

In the directory that you aren't protecting (i.e. it just has the logon script), DONT USE .htaccess! ONLY put .htaccess in the "secret" folder, and in that .htaccess you need the DENY FROM ALL statement I said earlier.

ness_du_frat

Ok, so I tested the code, replacing the header by what you gave me, and I got an error. So, I just put the old one back, and everything seemed to be working, except that the folder was not protected. I put the .htaccess "deny from all" in the folder, and now, it was protected.
But...
When I want to access it with my login page ( which was the point, after all ), I get the nice : you don't have permission to access to this server...

🙁

What should I do ? Because as I said earlier, if it's just a matter of having a login page, and no protected folder, I can do it in js, it's much easier...

ness_du_frat

Oh, and I'm going to London for five days ( no, not for the wedding, lol ! ), so in case somebody posts something and doesn't get any feedback, no, I'm not sulking in my corner, I'm just on holidays !!! lol !!!

bradgrafelman

What you need to do know once you have a login script is use PHP to read the contents of the folder and allow people to download files from it.

Take a look at functions such as [man]opendir[/man], [man]fpassthru[/man], [man]glob[/man], etc.

ness_du_frat

thanks, I'll try that when I come back, and tell you about it !

bradgrafelman

I try to make my posts/solutions a learning experience, so go ahed and try to write your own code/pseudocode.

Once you get as far as you can, post it here and I'll help you out.

I can tell you right now that once the user has selected what file they want to download and have been redirected to something such as "?myfile.exe" and you know which file they want, you'll need special HTTP Headers to tell the browser to begin a download, instead of just loading the file in the page. The headers to force the browser to display the "Save As" dialog are:

       header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
       header ("Content-Type: application/octet-stream");
       header ("Content-Length: " . filesize('files/'.$filename));
       header ("Content-Disposition: attachment; filename=$filename");