Please support our PHP advertiser: Lunarpages PHP Web Hosting
Views: 19086 | Replies: 33
 |
•
•
•
•
| |
•
•
Join Date: Mar 2005
Posts: 7
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username: password@www.domain.com/restricted_directory’.
The IE patch now restricts this.
When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form. I’m very close to getting this working, but I don’t understand how the $auth = false or true get’s passed.
Could it be the
Or is something else missing from my .htaccess file?
Do I need something like
I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
My auth.php file looks like this ….
[php]<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?> [/php]
My .htaccess file looks like this….
The IE patch now restricts this.
When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form. I’m very close to getting this working, but I don’t understand how the $auth = false or true get’s passed.
Could it be the
<LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change? Or is something else missing from my .htaccess file?
Do I need something like
auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
My auth.php file looks like this ….
[php]<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?> [/php]
My .htaccess file looks like this….
AuthType Basic AuthName "Making Doors Open" AuthGroupFile /dev/null/ php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php" <LIMIT GET POST PUT> require valid-user </LIMIT>
Last edited by tgreer : Oct 31st, 2006 at 8:12 pm. Reason: Added missing code tags.
•
•
Join Date: Mar 2005
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Can anyone help?
•
•
Join Date: Mar 2005
Location: London, UK
Posts: 2
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
I'm currently working on the same problem.. I'll let you know if I have any luck with it!
Tarik
Tarik
•
•
•
•
Originally Posted by Boat_2005
Can anyone help?
•
•
Join Date: Mar 2005
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
That’s great! I hope this thread helps you. I believe that the code I added to this thread is 90% complete. If you figure out the rest that would be incredible..
•
•
•
•
Originally Posted by tarik
I'm currently working on the same problem.. I'll let you know if I have any luck with it!
Tarik
•
•
Join Date: Mar 2005
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
This link may help.
http://www.php.net/manual/en/features.http-auth.php
http://www.php.net/manual/en/features.http-auth.php
•
•
•
•
Originally Posted by tarik
I'm currently working on the same problem.. I'll let you know if I have any luck with it!
Tarik
•
•
Join Date: Mar 2005
Location: London, UK
Posts: 2
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
I've had a look through your code and perhaps I am overlooking something but i am slightly confused exactly what you are trying to achieve...
You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).
Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.
Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...
e.g, when you establish that the username / password combination is valid then do this...
$_SESSION['auth'] = true;
This variable will now be accessible to you as you navigate around the site.
Whenever a new page is loaded, test whether the user is authenticated by using...
if ( $_SESSION['username'] == true )
{ //Display HTML Content }
Is this what you are trying to achieve?
Tarik
You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).
Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.
Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...
e.g, when you establish that the username / password combination is valid then do this...
$_SESSION['auth'] = true;
This variable will now be accessible to you as you navigate around the site.
Whenever a new page is loaded, test whether the user is authenticated by using...
if ( $_SESSION['username'] == true )
{ //Display HTML Content }
Is this what you are trying to achieve?
Tarik
•
•
Join Date: Mar 2005
Posts: 7
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Removing AuthTypeBasic and <LIMIT GET PUT> from my .htaccess file makes sense.
I can replace $auth = true; with $_SESSION['auth'] = true; and $auth = false; with $_SESSION[‘auth’] = false;.
Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);
The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;�.
Were would I add this?
if ( $_SESSION['username'] == true )
{ www.domain.com/path/to/restricted/field.html }
I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.
Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?
I can replace $auth = true; with $_SESSION['auth'] = true; and $auth = false; with $_SESSION[‘auth’] = false;.
Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);
The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;�.
Were would I add this?
if ( $_SESSION['username'] == true )
{ www.domain.com/path/to/restricted/field.html }
I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.
Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?
•
•
Join Date: Apr 2005
Posts: 2
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
I ma having the same problem. Did u come up with a solution ???
I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
•
•
Join Date: Oct 2006
Posts: 1
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
•
•
•
•
Originally Posted by psk79 
I ma having the same problem. Did u come up with a solution ???
I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
I was wondering if anyone had a solution to this problem. I am in desperate need of code to create a log-in form with a .htaccess file.
I would very much appreciate any help.
Thanks,
DW5
•
•
Join Date: Sep 2005
Posts: 732
Reputation:
Rep Power: 6
Solved Threads: 44
Master Poster
Is the problem how to get let .htaccess know that the user is authorized and set this in php?
I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...
I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
|
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Hybrid Mode