PHP + .htaccess - how can I avoid login popup

rafald

Hello,

I am trying to find a solution for simple logon script in PHP (but not copy existing one, but try to write and understand it by myself, anyway: free scripts I have found do not solve my problem).

I am using PHP 5.0.4 installed on Fedora 4.
I want to use .htaccess file in order to protect the folder.

Let me explain my problem in details:

1) I have created folder ABC where I put .htaccess file like this:

AuthType Basic
AuthName "test for authorization"
AuthUserFile /var/www/html/passwd/password
Require user raf

2) I have added user “ raf “to the file password stored in /var/www/html/passwd/

3) I have created file test.html in protected folder

4) When I tried to open a file in Browser I was asked for user and password, which works fine.

...and here begins my problem.
I don't like window generated by Apache. I want that users will see nice page with logon form, on which user name and password can be entered.

In order to do this I have created file welcome.html with form like this:

My login.php file looks like this:

<?php
$user = $POST['formUser'];
$pass = $POST['formPassword'];

if (!isset($user) || !isset($pass))
return false;
?>
<html>
<body>
<?php

$SERVER['PHP_AUTH_USER'] = $user;
$SERVER['PHP_AUTH_PW']= $pass;
$test1 = $SERVER['PHP_AUTH_USER'];
$test2 = $SERVER['PHP_AUTH_PW'];

print ("Your user: $test1 <br> Your Password : $test2");
?>

</body>
</html>

Files welcome.html and login.php are one level higher than folder ABC.
After I have opened welcome.html I have entered valid user name (raf) and password as defined in .htaccess and password file. As result I saw the message:
Your user: raf
Your Password : raf

Which means login.php works fine.
If I try to open test.html stored in the folder ABC I am asked for user and password. Why? I though Apache has registered this after login.php was executed (with $_SERVER['PHP_AUTH_USER']).
What I am doing wrong? How should I do it correctly?
How can I avoid standard prompt window and pass user and password to Apache in that way (via login.php), that I will be not asked again to enter this and display standard logon window?

Next question: how can I log off and enter folder with different user.

Regards
Rafal

PS. In the meantime I have found solution like this:
I can write script which redirect to the secure page. Something like this:
http://user:password@foo.bar/secure_dir/
For more details see here:
http://oracle.faqts.com/knowledge_base/view.phtml/aid/3323/fid/507

I want to know if there is better solution.
I want to protect all (!) files in the folder. Escpecially Flash (swf) or Java applets

Please advise what to do.

thepeccavi

EDIT!!!
For protecting falsh and java, put them in a separate .htaccess and .htpassword protected folder, or use set permissions on the folder (with .htaccess) to deny from all, scripts can still access the folder however...

I would recommend that you switch to using sessions for php pages several reasons:

A] They support multiple users better
B] You can create a more user-friendly logon
C] Data can be stored in session variables which is VERY useful!!!

If you need help on sessions, just search google for "logon tutorial php" or "php sessions tutorial" my common errors are:

A] not using session_start() before checking that the user is logged in (UHHH!!!)
B] Encrypting passwords on some pages and not on others
C] Encrypting passwords with md5() on some pages and encrypt() on others (just annoying!)

So... my advice is use sessions!!!

If you get stuck, I will be willing to help you with sessions as I will have got you into any mess that you may (or may not hopefully) get into with them... really,. sessions are easier than they seem!

Hope this helps!

cgraz

I agree. However, I do remember an instance where I needed to authenticate users (using apache) to integrate with a CGI script that needed them to be authenticated. I didn't want people logging in as in this situation, security wasn't an issue (internal application) and people would easily mess up the login as their usernames were case sensitive...anyways, long story BUT

I wrote a php script that pulled users from a mysql db and listed their usernames in a list. Then, when they clicked the link, they would be authenticated on apache using some javascript. This isn't a situation that you would want to do this on the web, but it is possible to do, and in this case worked as I could count on all users having javascript enabled.