 |  |  |  |  |  |  |  |
html/php form for .htaccess validation
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username: password@www.domain.com/restricted_directory’.
The IE patch now restricts this.
When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form. I’m very close to getting this working, but I don’t understand how the $auth = false or true get’s passed.
Could it be the
Or is something else missing from my .htaccess file?
Do I need something like
I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
My auth.php file looks like this ….
[php]<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?> [/php]
My .htaccess file looks like this….
The IE patch now restricts this.
When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form. I’m very close to getting this working, but I don’t understand how the $auth = false or true get’s passed.
Could it be the
<LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change? Or is something else missing from my .htaccess file?
Do I need something like
auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
My auth.php file looks like this ….
[php]<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?> [/php]
My .htaccess file looks like this….
PHP Syntax (Toggle Plain Text)
Last edited by tgreer; Oct 31st, 2006 at 8:12 pm. Reason: Added missing code tags.
I'm currently working on the same problem.. I'll let you know if I have any luck with it!
Tarik
Tarik
•
•
•
•
Originally Posted by Boat_2005
Can anyone help?
That’s great! I hope this thread helps you. I believe that the code I added to this thread is 90% complete. If you figure out the rest that would be incredible..
•
•
•
•
Originally Posted by tarik
I'm currently working on the same problem.. I'll let you know if I have any luck with it!
Tarik
This link may help.
http://www.php.net/manual/en/features.http-auth.php
http://www.php.net/manual/en/features.http-auth.php
•
•
•
•
Originally Posted by tarik
I'm currently working on the same problem.. I'll let you know if I have any luck with it!
Tarik
I've had a look through your code and perhaps I am overlooking something but i am slightly confused exactly what you are trying to achieve...
You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).
Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.
Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...
e.g, when you establish that the username / password combination is valid then do this...
$_SESSION['auth'] = true;
This variable will now be accessible to you as you navigate around the site.
Whenever a new page is loaded, test whether the user is authenticated by using...
if ( $_SESSION['username'] == true )
{ //Display HTML Content }
Is this what you are trying to achieve?
Tarik
You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).
Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.
Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...
e.g, when you establish that the username / password combination is valid then do this...
$_SESSION['auth'] = true;
This variable will now be accessible to you as you navigate around the site.
Whenever a new page is loaded, test whether the user is authenticated by using...
if ( $_SESSION['username'] == true )
{ //Display HTML Content }
Is this what you are trying to achieve?
Tarik
Removing AuthTypeBasic and <LIMIT GET PUT> from my .htaccess file makes sense.
I can replace $auth = true; with $_SESSION['auth'] = true; and $auth = false; with $_SESSION[‘auth’] = false;.
Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);
The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;�.
Were would I add this?
if ( $_SESSION['username'] == true )
{ www.domain.com/path/to/restricted/field.html }
I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.
Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?
I can replace $auth = true; with $_SESSION['auth'] = true; and $auth = false; with $_SESSION[‘auth’] = false;.
Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);
The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;�.
Were would I add this?
if ( $_SESSION['username'] == true )
{ www.domain.com/path/to/restricted/field.html }
I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.
Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?
I ma having the same problem. Did u come up with a solution ???
I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
•
•
•
•
Originally Posted by psk79 
I ma having the same problem. Did u come up with a solution ???
I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
I was wondering if anyone had a solution to this problem. I am in desperate need of code to create a log-in form with a .htaccess file.
I would very much appreciate any help.
Thanks,
DW5
•
•
Join Date: Sep 2005
Posts: 1,073
Reputation: 
Solved Threads: 66
Is the problem how to get let .htaccess know that the user is authorized and set this in php?
I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...
I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
|
Other Threads in the PHP Forum
- Previous Thread: Need PHP/MYSQL database help
- Next Thread: Upload_err_no_tmp_dir
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
ajax apache api array beginner binary body broken cakephp checkbox class cms code cookies cron curl database date date/time display dynamic ebooks echo email error file files folder form forms function functions google href htaccess html image include insert interactive ip javascript job joomla js limit link login mail mediawiki menu mlm mobile msqli_multi_query multiple mycodeisbad mysql navigation oop outofmemmory paging parse paypal pdf php problem procedure query radio ram random recursion regex remote script search server sessions sms source space sql stored subdomain syntax system table tutorial unicode update upload url validator variable video web webapplications websitecontactform xml youtube
