[RESOLVED] Protecting content

dkintheuk

Hi all,

I have a site that i need to develop a protected area of content. The pages will be images that i only want registered and logged in users to be able to see.

I have already sussed out hte login script and session management to present the pages ok but i want to be able to stop direct linking to the images URL by non-subscribed users.

I have the page set up so that a session test occurs at the top and that all works lovely so if a non-registered or not logged in user tries to go to the page it presents the login details.

But, if i can see the page and get the properties of the images, i can use the URL of image even if i am not logged in to see the picture.

How do i stop that from happening? Do i need to configure .htaccess? I have no idea of how to do that in this instance...

Sorry if this sounds a bit newbie but i've just never had to do it yet.

Cheers all,

Rob.

MarkR

There are a number of ways of doing this. One method is to get PHP to serve the files rather than Apache, but that's a bit complicated to set up.

Normally I'd recommend using basic authentication in Apache. If all your content requires the same level of access, you can just put

Require valid-user

In .htaccess and then only non-anonymous users can access it. If it's more complicated, you could use a group-file too.

PHP scripts in your admin area can then set up the htpasswd and/or htgroup files as necessary. They store the username and the password encrypted with crypt().

It's just a matter of ensuring that this file is written correctly. As long as you ensure that there aren't any bugs in the code which writes this, and that it does correct locking etc, it will be fine. I'd recommend writing another file and then renaming it over your old htpasswd (this is safest, as if the script fails or breaks half way through, you won't end up with a truncated file).

Of course you can still store the user data in a database in addition to this htpasswd file - I recommend doing so.

Mark

dkintheuk

Ah... now we're into a whole area that i've yet to look fully at.

I kind of understand what you mean by the 'Require valid user' add to .htaccess but how do i present a user as a valid user when they visit the page i am protecting?

Also...

htgroup?
htpasswd?

These are new to me though i think i get the principle though. I guess that what you are saying is that i am going to add users details to these two files then the page will be able to present the user details in my session to the apache server to get an authentication and allowance to show the correct page.

You say that PHP serving of the pages is more complicated - how so? I was thinking along the lines of making the images folder a location that is protected on the server but i quickly founf out that you then need a server login to get them to display at all...

I'm still not entirely sure what is the best (not necessarily the simplest) approach.

many thanks,

Rob.

dkintheuk

Just found this link that helps immensly with the whole concept.

http://aspn.activestate.com/ASPN/Cookbook/PHP/Recipe/108479

Excellent resource and very clear code that gives all the answers i am looking for!

Take care all,

Rob.

dkintheuk

OK i'm stuck again...

There is code at the link i gave in my previous msg to implement teh avoidance of the pop-up username and password request and to use the values held in session data (i.e. from the login form).

I can't see how to adapt that so that the user isn't presented with a pop-up once they go to the protected content pages rather than the login that they've already completed.

Any clues?

Tahnks,

Rob.

MarkR

It's an Apache feature - read the Apache docs for more info.

Basically, you need a htpasswd file. These are normally maintained by the "htpasswd" program shipped with Apache.

But the format is simple, you can write it by PHP.

The Apache config (httpd.conf or .htaccess) indicates where the server should find htpasswd, and which user(s) it should allow to access a given resource (being a directory, file or location).

The simplest way to do it, in my opinion, is to have a fixed .htaccess file which doesn't change, then make a htpasswd file somewhere which is writeable by PHP and dynamically updated as new users are added/removed, or change their passwords.

Ensure that the htpasswd file itself is somewhere inaccessible by the web - either ourside the web root or in a special directory protected by a .htaccess such as

Deny From All

Try it out on your dev server first, to see how the Apache basic auth config works.

Mark

dkintheuk

Ok but in thesite i refer to they say that you can make use of the values in the htgroups and htpasswd files to avoid presenting the user another pop-up login when they go to protected pages and use the already entered login details to pass through this control...

here is the code i'm talking about:

function authenticate(){
  header("WWW-Authenticate: Basic realm=\"Members\"");
  header('HTTP/1.0 401 Unauthorized');
  echo "Please enter a valid user name and password.";
  exit;
}

for(; 1; authenticate()){
  if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) continue;
  $user = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
  if(!($authUserLine = 
    array_shift(preg_grep("/$user:.*$/", 
    file("/home/kloss/html/test/.htpasswd"))))) continue;
  preg_match("/$user:((..).*)$/", $authUserLine, $matches);
  $authPW = $matches[1];
  $salt = $matches[2];
  $submittedPW = crypt($HTTP_SERVER_VARS['PHP_AUTH_PW'], $salt);
  if($submittedPW != $authPW) continue;
  break;
}

I'm not clear how to adapt that code...

Thanks again,

Rob.

MarkR

If you're going to do HTTP basic authentication, you must do it either via Apache OR PHP, but not both.

If Apache is going basic authentication, your PHP script does not need to (and it probably won't work).

If you want to authenticate requests for non-PHP files (such as images, etc) you'll have to do it via Apache.

If Apache is doing authentication, you can determine the user logged on by using $_SERVER['REMOTE_USER']

Mark

dkintheuk

Got it - tried a couple of test and i see what you mean.

So in fact although my user is going to be doing his login via a php script the detail he logs in with are those that will be submitted to the http-authentication instead of showing the pop-up window... got a good resource again at codewalkers.com

Take care all,

Rob.

jasonok6

MarkR wrote:
There are a number of ways of doing this. One method is to get PHP to serve the files rather than Apache, but that's a bit complicated to set up.

I have the same problem, however modifying .htaccess and having apache protect these images isn't an option for me. I have no idea what my users passwords are because I encrypt them, so i wouldn't know what username/password combination to add to .htaccess when a user signs up or changes their password.

One idea I had was to keep all my images in a directory outside of the web server root. Then when needing to display the image I could open it up within php and then copy it to a directory that is accessible via the web. I could name the image whatever the current timestamp is. Setup a cron job script that triggers a script that looks at all images in the public directory whose timestamp is older than a few seconds deleting any images from permanently being accessible from the web. My only concern is all of the work involved with doing this, awfully expensive method that could become a problem as the site gets larger.

MarkR, I was wondering what your method of doing this would be if you had to serve the files with php rather than apache.