I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik

Can anyone help?

I've had a look through your code and perhaps I am overlooking something but i am slightly confused exactly what you are trying to achieve...

You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).

Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the section in the htaccess file as it is no longer needed.

Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...

e.g, when you establish that the username / password combination is valid then do this...

$_SESSION['auth'] = true;

This variable will now be accessible to you as you navigate around the site.

Whenever a new page is loaded, test whether the user is authenticated by using...

if ( $_SESSION['username'] == true )
{ //Display HTML Content }

Is this what you are trying to achieve?

Tarik

I ma having the same problem. Did u come up with a solution ???

I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.

I ma having the same problem. Did u come up with a solution ??? I read that its impossible to do this. I have a bunch of cgi scripts with .htacess. I need to give access to these scripts only to users who logged in with same usr/pswd as that in htpasswd file.

I was wondering if anyone had a solution to this problem. I am in desperate need of code to create a log-in form with a .htaccess file.


I would very much appreciate any help.


Thanks,

DW5

Is the problem how to get let .htaccess know that the user is authorized and set this in php?

I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...

Is the problem how to get let .htaccess know that the user is authorized and set this in php?

I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...

See the issue I am having is this. I have used php / mySQL login authentication to secure all of the php pages in the members area of a site. The problem I have is what if there are html files or pdf files in the members folder that I dont want people to have access to?

For example, my members folder is /public_html/members/ and I have a documents folder in there where I store pdf files for members only at /public_html/members/documents/. If I only use php for authentication (ie user/pass from mysql database) then someone can browse directly to one of the pdf files and view it without a password (ie www.domainname.com/members/documents/file1.php) . The only way I know of to prevent this is with htaccess file. I need to maintain the php login which integrates with the mySQL table since the members area is customized per member?

Can anyone give me an idea as to what I need to do???

Thank you.

Keith G

See the issue I am having is this. I have used php / mySQL login authentication to secure all of the php pages in the members area of a site. The problem I have is what if there are html files or pdf files in the members folder that I dont want people to have access to?

For example, my members folder is /public_html/members/ and I have a documents folder in there where I store pdf files for members only at /public_html/members/documents/. If I only use php for authentication (ie user/pass from mysql database) then someone can browse directly to one of the pdf files and view it without a password (ie www.domainname.com/members/documents/file1.php) . The only way I know of to prevent this is with htaccess file. I need to maintain the php login which integrates with the mySQL table since the members area is customized per member?

Can anyone give me an idea as to what I need to do???

Thank you.

Keith G

Hi Keith;

.htaccess does make it a bit complex. It would be simpler if you just place all the member files under the web root. (below public_html in this case).
This way it cannot be accessed directly from the web.

Then you can have a single php file that:

1) authenticates the users session.
2) retrieves the requested file from below the web root.
3) appends the correct Content-Type HTTP Header for file download or the file type being requested.
4) Dump the file to HTTP (echo $filecontents) so the browser will download the file.

This method can even allow resuming of file downloads etc.

It does put an extra load on the PHP server as file contents have to be read to php before being sent to HTTP...

You can get example code in the PHP manual under the funciton: header http://www.php.net/header

Heres an example:

[php]
<?php
$mm_type="application/octet-stream";

header("Cache-Control: public, must-revalidate");
header("Pragma: hack");
header("Content-Type: " . $mm_type);
header("Content-Length: " .(string)(filesize($url)) );
header('Content-Disposition: attachment; filename="'.basename($url).'"');
header("Content-Transfer-Encoding: binary\n");

$fp = fopen($url, 'rb');
$buffer = fread($fp, filesize($url));
fclose ($fp);

print $buffer;
?>
[/php]

You can insert this into a page, after you have validated:
1) The user has a session (is logged in)
2) The file exists and user has access to download it. (very important)

I am also having a problem very similar, i want to create a login excatly like the way .htaccess works but without the Annoying Dialogue Pop-up(i hate them) .. Can anyone help me?

I am also having a problem very similar, i want to create a login excatly like the way .htaccess works but without the Annoying Dialogue Pop-up(i hate them) .. Can anyone help me?

I am coping with the same problem. Anyone know a solution? Maybe including login information in the URL sent from my VB6 browser. Then avoid the pesky "confirm" message box?

Thanks,
Kirk

Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username: [email]password@www.domain.com[/email]/restricted_directory’. The IE patch now restricts this. ...

Here's a solution to getting around the IE problem with their disabling using the browser address bar to login via HTTP Basic Authentication.

[HTML]Enter A Username and Password to Access the Private Area
[/HTML]

What is does is circumvent the browser address bar by making a xmlHTTPRequest call to a page protected by Basic Auth.

The xmlHTTPRequest will pass the username and password of the user to this page, and if authenticated successfully the page will respond with a HTTP status of "200".
If the authentication fails then the response will be "401".
The xmlHTTPRequest reads the HTTP status responses and keeps asking for a username and password until it gets a "200" response from the page.

Once authenticated, the browser will cache the username and password. (This is done automatically by browsers when implementing Basic Auth) This allows you to redirect to the actual page the user wants to visit.

This works no matter who you implement Basic Auth on the server, via php, via .htaccess etc.

The only problem I have seen is that Firefox will open the default Prompt for Authentication if the authentication by xmlHTTPRequest fails. This does not happen with IE. This may not be a firefox bug, just their implementation.

The work around for this would be to implement HTTP Authentication with PHP and response with a HTTP Response status of "403" or something similar instead of "401" which triggers the login prompt/box in firefox.

Could you explain if this script can also be used to make a webbased .htaccess login to directories where the username is the protected directory to which the user is pointed at login?

Eg. username = apple
with pasword will go to host.com/apple (where apple is a .htaccess protected directory).

If so, could you explain what to do with:

// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';

And give some hints about ho to install the script. Thanks a lot in advance!

Could you explain if this script can also be used to make a webbased .htaccess login to directories where the username is the protected directory to which the user is pointed at login?

Eg. username = apple with pasword will go to host.com/apple (where apple is a .htaccess protected directory).

If so, could you explain what to do with:

// url of Basic Authentication page var auth_url = '.....'; // url user wants to access var private_url = '.....';

And give some hints about ho to install the script. Thanks a lot in advance!

This is all you need to change:
[HTML]
// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';[/HTML]

auth_url can be either a PHP implementation of BASIC Auth ( http://php.net/features.http-auth) . Or an actual protected page.

private_url is the page you want to redirect to when the user is logged in successfully. (a private page).

If you don't have a PHP script implementing BASIC Auth, then both URLs are the same...

In your case it would be:

[HTML]
// url of Basic Authentication page
var auth_url = 'http://host.com/apple';
// url user wants to access
var private_url = 'http://host.com/apple';[/HTML]

You just place the whole script (JS code and HTML form) inside a non-protected page on the same Domain.

Different Domains:
If you want to go past the same domain restriction in XMLHTTPRequest then you'll have to use a PHP HTTP proxy. The PHP proxy should just take the HTTP Request and mirror the same request to the remote domain, then receive the HTTP Response from the remote domain and mirror it back to the client..

Thanks a lot for that!

But what to do when the private_url directory is not clear yet (because it is based on what the user will type in the form as it's username).

Can the directory name be a variable based on what the user inputs in the form as it's username?

Thanks a lot for that! But what to do when the private_url directory is not clear yet (because it is based on what the user will type in the form as it's username). Can the directory name be a variable based on what the user inputs in the form as it's username?

Sure.

Here's the first part of the code.

// url of Basic Authentication page
var auth_url = 'protected/index.php';
// url user wants to access
var private_url = 'protected/files/file.zip';

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

The function getPrivatePage() is executed when a user clicks on the submit button. (it would actually be better to attach this to the form submit handler).

What you can do is check if the username is set when the user has clicked the button, if it is, then append the username to you your private url.

eg:

// url of Basic Authentication page
var auth_url = 'protected/index.php';
// url user wants to access
var private_url = 'protected/files/file.zip';

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

if (user.length < 0) {
private_url = 'http://example.com/'+encodeURIComponent(user)+'/';
}

If you want to support older browsers (IE 5.5 I believe support xmlHTTPRequest but not encodeURIComponent()) then you'll have to first check if "encodeURIComponent()" is supported.

eg:

/**
* the escape() method in Javascript is deprecated
*/
function encode( uri ) {
    if (typeof encodeURIComponent == 'function') {
        return encodeURIComponent(uri);
    } else if (typeof escape == 'function') {
        return escape(uri);
    } else return uri;
}

Then in when you use uri's do:

if (user.length < 0) {
private_url = 'http://example.com/'+encode(user)+'/';
}

for example.

There is also some values passed via HTTP in the xmlHTTPRequest that are not urlencoded. You may want to urlencode them.

Since auth_url and private_url are the same in my case, should I include

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

if (user.length < 0) {
private_url = 'http://example.com/'+encodeURIComponent(user)+'/';

Also for auth_url?

Furthermore, when I tested the script it seems to make a difference
if I use http://host.com or http://www.host.com .

Is is possible to make both work?

Thanks again in advance!