943,925 Members | Top Members by Rank

Web Development > PHP > html/php form for .htaccess validation
Ad:
  • PHP Discussion Thread
  • Unsolved
  • Views: 29671
  • PHP RSS
You are currently viewing page 1 of this multi-page discussion thread
Permalink
Mar 28th, 2005
0

html/php form for .htaccess validation

Expand Post »
Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username: password@www.domain.com/restricted_directory’.
The IE patch now restricts this.

When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.

My goal is to login through my html form. I’m very close to getting this working, but I don’t understand how the $auth = false or true get’s passed.

Could it be the <LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change?
Or is something else missing from my .htaccess file?
Do I need something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?

I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.

Also, my DB is Apache.


My auth.php file looks like this ….

[php]<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];

$auth = false; // Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Read the entire file into the variable $file_contents

$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );

// Place the individual lines from the file contents into an array.

$lines = explode ( "\n", $file_contents );

// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.

foreach ( $lines as $line ) {

list( $username, $password ) = explode( ':', $line );

if ( $username == "$PHP_AUTH_USER" ) {

// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.

$salt = substr( $password , 0 , 2 );

// Encrypt $PHP_AUTH_PW based on $salt

$enc_pw = crypt( $PHP_AUTH_PW, $salt );

if ( $password == "$enc_pw" ) {

// A match is found, meaning the user is authenticated.
// Stop the search.

$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;

}

}
}

}

if ( ! $auth ) {

header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

header( 'Location:first.htm' );
}

?> [/php]
My .htaccess file looks like this….

PHP Syntax (Toggle Plain Text)
  1. AuthType Basic 
  2. AuthName "Making Doors Open" 
  3. AuthGroupFile /dev/null/ 
  4.  
  5. php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php" 
  6.  
  7. <LIMIT GET POST PUT> 
  8. require valid-user 
  9. </LIMIT>
Last edited by tgreer; Oct 31st, 2006 at 8:12 pm. Reason: Added missing code tags.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Boat_2005 is offline Offline
7 posts
since Mar 2005
Permalink
Mar 29th, 2005
0

Re: html/php form for .htaccess validation - Can anyone help?

Can anyone help?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Boat_2005 is offline Offline
7 posts
since Mar 2005
Permalink
Mar 30th, 2005
0

Re: html/php form for .htaccess validation - Can anyone help?

I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik

Quote originally posted by Boat_2005 ...
Can anyone help?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
tarik is offline Offline
2 posts
since Mar 2005
Permalink
Mar 30th, 2005
0

Re: html/php form for .htaccess validation - Can anyone help?

That’s great! I hope this thread helps you. I believe that the code I added to this thread is 90% complete. If you figure out the rest that would be incredible..

Quote originally posted by tarik ...
I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Boat_2005 is offline Offline
7 posts
since Mar 2005
Permalink
Mar 31st, 2005
0

Re: html/php form for .htaccess validation - Can anyone help?

This link may help.
http://www.php.net/manual/en/features.http-auth.php

Quote originally posted by tarik ...
I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Boat_2005 is offline Offline
7 posts
since Mar 2005
Permalink
Mar 31st, 2005
0

Re: html/php form for .htaccess validation

I've had a look through your code and perhaps I am overlooking something but i am slightly confused exactly what you are trying to achieve...

You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).

Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.

Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...

e.g, when you establish that the username / password combination is valid then do this...

$_SESSION['auth'] = true;

This variable will now be accessible to you as you navigate around the site.

Whenever a new page is loaded, test whether the user is authenticated by using...

if ( $_SESSION['username'] == true )
{ //Display HTML Content }

Is this what you are trying to achieve?

Tarik
Reputation Points: 10
Solved Threads: 0
Newbie Poster
tarik is offline Offline
2 posts
since Mar 2005
Permalink
Apr 1st, 2005
0

Re: html/php form for .htaccess validation

Removing AuthTypeBasic and <LIMIT GET PUT> from my .htaccess file makes sense.

I can replace $auth = true; with $_SESSION['auth'] = true; and $auth = false; with $_SESSION[‘auth’] = false;.

Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);

The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;�.

Were would I add this?
if ( $_SESSION['username'] == true )
{ www.domain.com/path/to/restricted/field.html }

I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.

Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Boat_2005 is offline Offline
7 posts
since Mar 2005
Permalink
Apr 28th, 2005
0

Re: html/php form for .htaccess validation

I ma having the same problem. Did u come up with a solution ???

I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
psk79 is offline Offline
2 posts
since Apr 2005
Permalink
Oct 31st, 2006
0

Re: html/php form for .htaccess validation

Click to Expand / Collapse  Quote originally posted by psk79 ...
I ma having the same problem. Did u come up with a solution ???

I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.

I was wondering if anyone had a solution to this problem. I am in desperate need of code to create a log-in form with a .htaccess file.


I would very much appreciate any help.


Thanks,

DW5
DW5
Reputation Points: 10
Solved Threads: 0
Newbie Poster
DW5 is offline Offline
1 posts
since Oct 2006
Permalink
Nov 3rd, 2006
0

Re: html/php form for .htaccess validation

Is the problem how to get let .htaccess know that the user is authorized and set this in php?

I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...
Moderator
Reputation Points: 457
Solved Threads: 101
Nearly a Posting Virtuoso
digital-ether is offline Offline
1,250 posts
since Sep 2005

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: Need PHP/MYSQL database help
Next Thread in PHP Forum Timeline: Upload_err_no_tmp_dir





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC