html/php form for .htaccess validation
 

Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username: password@www.domain.com/restricted_directory’.
The IE patch now restricts this.

When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.

My goal is to login through my html form. I’m very close to getting this working, but I don’t understand how the $auth = false or true get’s passed.

Could it be the <LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change?
Or is something else missing from my .htaccess file?
Do I need something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?

I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.

Also, my DB is Apache.


My auth.php file looks like this ….

[php]<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];

$auth = false; // Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Read the entire file into the variable $file_contents

$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );

// Place the individual lines from the file contents into an array.

$lines = explode ( "\n", $file_contents );

// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.

foreach ( $lines as $line ) {

list( $username, $password ) = explode( ':', $line );

if ( $username == "$PHP_AUTH_USER" ) {

// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.

$salt = substr( $password , 0 , 2 );

// Encrypt $PHP_AUTH_PW based on $salt

$enc_pw = crypt( $PHP_AUTH_PW, $salt );

if ( $password == "$enc_pw" ) {

// A match is found, meaning the user is authenticated.
// Stop the search.

$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;

}

}
}

}

if ( ! $auth ) {

header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

header( 'Location:first.htm' );
}

?> [/php]
My .htaccess file looks like this….

AuthType Basic 

AuthName "Making Doors Open" 

AuthGroupFile /dev/null/ 



php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php" 



<LIMIT GET POST PUT> 

require valid-user 

</LIMIT>

Re: html/php form for .htaccess validation - Can anyone help?
 

Can anyone help?

Re: html/php form for .htaccess validation - Can anyone help?
 

I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik

Re: html/php form for .htaccess validation - Can anyone help?
 

That’s great! I hope this thread helps you. I believe that the code I added to this thread is 90% complete. If you figure out the rest that would be incredible..

Re: html/php form for .htaccess validation - Can anyone help?
 

This link may help.
http://www.php.net/manual/en/features.http-auth.php

Re: html/php form for .htaccess validation
 

I've had a look through your code and perhaps I am overlooking something but i am slightly confused exactly what you are trying to achieve...

You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).

Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.

Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...

e.g, when you establish that the username / password combination is valid then do this...

$_SESSION['auth'] = true;

This variable will now be accessible to you as you navigate around the site.

Whenever a new page is loaded, test whether the user is authenticated by using...

if ( $_SESSION['username'] == true )
{ //Display HTML Content }

Is this what you are trying to achieve?

Tarik

Re: html/php form for .htaccess validation
 

Removing AuthTypeBasic and <LIMIT GET PUT> from my .htaccess file makes sense.

I can replace $auth = true; with $_SESSION['auth'] = true; and $auth = false; with $_SESSION[‘auth’] = false;.

Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);

The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;�.

Were would I add this?
if ( $_SESSION['username'] == true )
{ www.domain.com/path/to/restricted/field.html }

I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.

Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?

Re: html/php form for .htaccess validation
 

I ma having the same problem. Did u come up with a solution ???

I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.

Re: html/php form for .htaccess validation
 

I was wondering if anyone had a solution to this problem. I am in desperate need of code to create a log-in form with a .htaccess file.


I would very much appreciate any help.


Thanks,

DW5

Re: html/php form for .htaccess validation
 

Is the problem how to get let .htaccess know that the user is authorized and set this in php?

I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...