Secure login

dave5398

I want to ensure the user name and password is transmitted over a secure (SSL) connection so I have a simple login page covered by SSL. How can I then, using PHP, set the .htaccess username? Also, going the other way, if I use .htaccess authentication, how can I access the username provided? Can the .htaccess process be set up over an SSL connection?

What's the recommended approach for secure login?

Dave

big_nerd

dave5398,

.htaccess can work, however, if you have invested in (or have a web server who has invested in) a Digitally Signed Certificate, do you not have access to a database server such as MySQL / Microsoft SQL?

PHP is capable of encrypting the passwords so viewing the records would do nothing for anyone to view it (MD5 command for instance).

.htaccess is where a server reads a file and authenticates against that, using web authentication.

If you used a database you can use either Web Authentication or just use sessions and you can customize the login page.

dave5398

Thanks.

I do have MySQL and SSL on my server. I use an SSL login and I match the MD5(username) and MD5(password) against the database so I believe that is secure. HOWEVER, suppose I want to protect some files in a directory on the server. My question is, can I somehow login to .htaccess from a php script, ie set PHP_AUTH_USER from the script?

Alternatively, is there an SSL version of the .htaccess login so I could use the PHP_AUTH_USER value to login to the database?

The point is basic authentication is not at all secure and even digest authentication is transmitted over an open connection is it not?

Dave

big_nerd

I sort-of see what you mean,

You can get the users authenticated (secured). the SSL encrypts the data so its not sent clear text, then the u&p are md5 enc'd to verify against it.

Do you want a list of users who ARE allowed access to certain folders (and beyond), but others are not?

dave5398

No I just want to use the secure login u&p to allow access to .htaccess protected files - can that be done? I suppose it would need some way of writing to $_SERVER['PHP_AUTH_USER'] which I guess is normally read only?

Dave

big_nerd

Dave,

All $_SERVER is read only, they are variables that are passed from the HTTP server to you.

dave5398

Thanks, that's what I thought. I guess I give up on this and just make sure all sensitive data is in the database. I really want it encrypted but I'm working on that one separately!🙂

Dave

big_nerd

dave:

Well, its not much of, but here is a solution..

have a DL id, depending on how many files you have, you can put them in the DB, disable directory browsing, etc.. and you can use this script to send the file:

<?php
function forcedownload($path) {      

        //get filename
        $filename = basename($path);
        //sent the right headers
        header("Content-Transfer-Encoding: binary");
        header("Content-Type: multipart/mixed");
        header("Content-Disposition: attachment; filename=$filename");
        //start feeding with the file
        readfile($path); 
} 
?>

You can do something like filedownload.php?dl_id=10101;

You can use a simple query to grab the path / file info from that

You can restrict access through the PHP script however you want, and the user wouldn't know where the directory is to begin with, since its server side. If its a seperate php file (that you parse everything & run the function from) the file download box will just pop up, and off you go.

Hope it helps a little...

dave5398

Neat, thanks I tried it and it works!

Dave

big_nerd

no problem, I know its not quite the best solution, but it should work.