Need help sending PHP values to .htacces

Anon

I've been searching for over 5 hours now and have found pleanty of info on PHP_AUTH_USER and PHP_AUTH_PW. What I need is the opposite and on the queries I found with my same problem there have not been any answers.

Here is the situation:

1) We have a PHP login page that queries against a MySQL table for a correct username and password pair for hundreds of users.

2) Once the user is authorized a link is returned to the browser for 1 of 2 different files. Let's say the user is a Silver Member they get a link for '/medals/silver.pdf'. If they are a Gold Member they get a link to '/medals/gold.pdf.'

3) All this is fine and works great. Please don't talk about the header() function because it doesn't work in all versions of IE. That is not the issue or problem.

4) We want to force the user to login each time to download the updated copies of the pdfs located in the /metals directory. Smart users would be able to save the link to the pdfs in their favorites or bookmarks. To thwart this and force them to login we have placed a .htaccess file in the /metals directory. That .htaccess file requires one user, "foo" with password "bar."

5) The idea was that if the user authenticated we could set the auth user and password to "foo" and "bar" and when they clicked on the link to retrieve the PDF it would authenticate automatically against the .htaccess file. But we can't find anywhere how to send the "foo" and "bar" values to the browser for the .htaccess file.

Does this make sense? As I've said above this question has been asked buy not answered here or on PHP.net or on any other list I've been able to find and search all day. If someone can help with this or provide an answer I will promptly distribute the solution to the other lists to help out those that have posted the same question but not yet received answers.

Thanks in advance for any help.

Would also appreciate if any help could be emailed directly to me as well as posted to the list. I'm fairly new to PHP. Can read and understand and modify existing code but can't quite construct from scratch yet. :-)

Thanks again,

-shane

metin

Sorry, you said - "...Please don't talk about the header() function ...",
but here is it anyway, the alternative is to use java script.
And the headers function has worked for me until now 😉

<?php
header('Location: http://foo:bar@www.your_server.com/metals/silver.pdf');
?>

Anon

Header(location) doesn't work with IE 4.01 and has problems with IE 5.5, unless certain service packs are installed and then is still not guaranteed to work.

This also doesn't address the problem of the user just bookmarking the path to the PDF since the path shows up in the address line of the browser.

These PDFs are updated each day and hundreds of users log in each morning to download the updates.

The solution in the above thread would work if there weren't the issue of the Header() function not working with all browsers.

Any one else out there understand this problem or have any ideas?

-shane

Anon

There is no way of "automatically" authenticating against "Basic authentication".
The only why is to pass the username/password in the address field of your browser.
Otherwise, you have to give the username/password in the pop-window.

There is another way of solving your problem(if you don't want to use the header function):

Since you have a working authentication system based on MySQL,
you don't actually need the additional authentication against Apache.

Then you can configure Apache so that when somebody accesses these two files
and they don't come (REFER) from, say: http://www.your_server.com/login.php
then redirect them there. You can do this in a ".htaccess"-file or in the "httpd.conf"-file.

Regards
Metin

Anon

Hey Metin,

Now you're talking. That just might be a possibility. I'll look into the 'referrer' directive for the .htaccess file.

This also would seem to be why there hasn't been an answer to the question on the other lists I found.

Of course we would much prefer to use the Header() function but the very version of IE our client is using (IE 5 on W2K) doesn't support it.

This would seem to be a very basic way to handle low level security for access to files in directories that don't have to be protected by anything more than a .htaccess file. I'm surprised this hasn't been addressed or doesn't come up more often.

Thanks again for the info and help.

-shane

Anon

...OK. Now can someone point me to how to do this. Just spent 2 hours with Apache books and websites and am no closer on how to implement this.

Embarrassed to say it but everything I've tried just returns 505 Internal server errors.

Thanks in advance... again.

-shane

Anon

Try this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^{http://www.your_server.com/}
RewriteRule /* http://www.your_server.com/login.php [R,L]