See the issue I am having is this. I have used php / mySQL login authentication to secure all of the php pages in the members area of a site. The problem I have is what if there are html files or pdf files in the members folder that I dont want people to have access to?

For example, my members folder is /public_html/members/ and I have a documents folder in there where I store pdf files for members only at /public_html/members/documents/. If I only use php for authentication (ie user/pass from mysql database) then someone can browse directly to one of the pdf files and view it without a password (ie www.domainname.com/members/documents/file1.php). The only way I know of to prevent this is with htaccess file. I need to maintain the php login which integrates with the mySQL table since the members area is customized per member?

Can anyone give me an idea as to what I need to do???

Thank you.

Keith G

Hi Keith;

.htaccess does make it a bit complex. It would be simpler if you just place all the member files under the web root. (below public_html in this case).
This way it cannot be accessed directly from the web.

Then you can have a single php file that:

1) authenticates the users session.
2) retrieves the requested file from below the web root.
3) appends the correct Content-Type HTTP Header for file download or the file type being requested.
4) Dump the file to HTTP (echo $filecontents) so the browser will download the file.

This method can even allow resuming of file downloads etc.

It does put an extra load on the PHP server as file contents have to be read to php before being sent to HTTP...

You can get example code in the PHP manual under the funciton: header
http://www.php.net/header

Heres an example:

[php]
<?php
$mm_type="application/octet-stream";

header("Cache-Control: public, must-revalidate");
header("Pragma: hack");
header("Content-Type: " . $mm_type);
header("Content-Length: " .(string)(filesize($url)) );
header('Content-Disposition: attachment; filename="'.basename($url).'"');
header("Content-Transfer-Encoding: binary\n");

$fp = fopen($url, 'rb');
$buffer = fread($fp, filesize($url));
fclose ($fp);

print $buffer;
?>
[/php]

You can insert this into a page, after you have validated:
1) The user has a session (is logged in)
2) The file exists and user has access to download it. (very important)

I am also having a problem very similar, i want to create a login excatly like the way .htaccess works but without the Annoying Dialogue Pop-up(i hate them) .. Can anyone help me?

I am coping with the same problem. Anyone know a solution? Maybe including login information in the URL sent from my VB6 browser. Then avoid the pesky "confirm" message box?

Thanks,
Kirk

Here's a solution to getting around the IE problem with their disabling using the browser address bar to login via HTTP Basic Authentication.

[HTML]<script>

// url of Basic Authentication page
var auth_url = 'protected/index.php';
// url user wants to access
var private_url = 'protected/files/file.zip';

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

// create an execute xmlHTTPRequest
var xmlhttp = false;
if (window.XMLHttpRequest) {
xmlhttp = (new XMLHttpRequest());
} else if (window.ActiveXObject) {
// find latest XMLHTTP implementation on IE
var versions = [
"Msxml2.XMLHTTP.7.0",
"Msxml2.XMLHTTP.6.0",
"Msxml2.XMLHTTP.5.0",
"Msxml2.XMLHTTP.4.0",
"MSXML2.XMLHTTP.3.0",
"MSXML2.XMLHTTP",
"Microsoft.XMLHTTP"];
var n = versions.length;
for (var i = 0; i < n; i++) {
try {
if (xhr = (new ActiveXObject(versions[i]))) {
break;
}
} catch (e) { /* try next */ }
}
}
if (!xmlhttp) {
location.href = auth_url;
return false;
}
xmlhttp.onreadystatechange = function() { handleGetPrivatePageResponse(xmlhttp); };
xmlhttp.open('GET', auth_url, true, user, pw);
xmlhttp.send(null);
}

function handleGetPrivatePageResponse(xmlhttp) {
if (xmlhttp.readyState == 4) {
if (xmlhttp.status == 200) {
alert('Log in successful.');
location.href = private_url;
} else if (xmlhttp.status == 401) {
alert('The Username and password are incorrect. Please try again.');
} else {
alert('An unknown Error Occurred. HTTP Status: '+xmlhttp.status);
}
}
}

</script>

<fieldset>
<legend>Enter A Username and Password to Access the Private Area</legend>
<input type="text" name="user" id="user" />
<input type="text" name="pw" id="pw" />
<input type="button" onclick="getPrivatePage();" value="Enter" />
</fieldset>
<fieldset>[/HTML]

What is does is circumvent the browser address bar by making a xmlHTTPRequest call to a page protected by Basic Auth.

The xmlHTTPRequest will pass the username and password of the user to this page, and if authenticated successfully the page will respond with a HTTP status of "200".
If the authentication fails then the response will be "401".
The xmlHTTPRequest reads the HTTP status responses and keeps asking for a username and password until it gets a "200" response from the page.

Once authenticated, the browser will cache the username and password. (This is done automatically by browsers when implementing Basic Auth) This allows you to redirect to the actual page the user wants to visit.

This works no matter who you implement Basic Auth on the server, via php, via .htaccess etc.

The only problem I have seen is that Firefox will open the default Prompt for Authentication if the authentication by xmlHTTPRequest fails. This does not happen with IE. This may not be a firefox bug, just their implementation.

The work around for this would be to implement HTTP Authentication with PHP and response with a HTTP Response status of "403" or something similar instead of "401" which triggers the login prompt/box in firefox.

Could you explain if this script can also be used to make a webbased .htaccess login to directories where the username is the protected directory to which the user is pointed at login?

Eg. username = apple
with pasword will go to host.com/apple (where apple is a .htaccess protected directory).

If so, could you explain what to do with:

// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';

And give some hints about ho to install the script. Thanks a lot in advance!

This is all you need to change:
[HTML]
// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';[/HTML]

auth_url can be either a PHP implementation of BASIC Auth (http://php.net/features.http-auth). Or an actual protected page.

private_url is the page you want to redirect to when the user is logged in successfully. (a private page).

If you don't have a PHP script implementing BASIC Auth, then both URLs are the same...

In your case it would be:

[HTML]
// url of Basic Authentication page
var auth_url = 'http://host.com/apple';
// url user wants to access
var private_url = 'http://host.com/apple';[/HTML]

You just place the whole script (JS code and HTML form) inside a non-protected page on the same Domain.

Different Domains:
If you want to go past the same domain restriction in XMLHTTPRequest then you'll have to use a PHP HTTP proxy. The PHP proxy should just take the HTTP Request and mirror the same request to the remote domain, then receive the HTTP Response from the remote domain and mirror it back to the client..

Thanks a lot for that!

But what to do when the private_url directory is not clear yet (because it is based on what the user will type in the form as it's username).

Can the directory name be a variable based on what the user inputs in the form as it's username?

Sure.

Here's the first part of the code.


The function getPrivatePage() is executed when a user clicks on the submit button. (it would actually be better to attach this to the form submit handler).

What you can do is check if the username is set when the user has clicked the button, if it is, then append the username to you your private url.

eg:

If you want to support older browsers (IE 5.5 I believe support xmlHTTPRequest but not encodeURIComponent()) then you'll have to first check if "encodeURIComponent()" is supported.

eg:


Then in when you use uri's do:


for example.

There is also some values passed via HTTP in the xmlHTTPRequest that are not urlencoded. You may want to urlencode them.

Since auth_url and private_url are the same in my case, should I include

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

if (user.length < 0) {
private_url = 'http://example.com/'+encodeURIComponent(user)+'/';

Also for auth_url?

Furthermore, when I tested the script it seems to make a difference
if I use http://host.com or http://www.host.com.

Is is possible to make both work?

Thanks again in advance!