.htaccess and pw files are pointless, who wants to maintain potentially 10 or 20 of these things? Furthermore, it's gotta do more than just serve a single file at a time -- that's simple... I needed directly-level security.
The solution I came up with was to use a module called mod_auth_any, which (with a little minor adjustment) can execute a PHP script from the console and rely on it's response to grant authentication or not. That gives me Apache-level security without Apache-authentication. John -----Original Message----- From: J Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 3:58 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: PHP-Based Authentication Security? An easier way to do it might be to use HTTP authentication with apache using .htaccess and .htpasswd files, which can be placed in the secure directories. (Or use one global .htpasswd file and have all .htaccess files point to it.) Another possibility would be to set up two PHP scripts, one being some kind of form to enter a username, password, etc., and another to check the input and act as a pass-thru for the file to be downloaded. The second script could look something like this (obviously simplified): if ($authenticated) { header("Content-type: whatever/text"); readfile($filename); } else { print "You can't download this." } Which you would call as something like: http://www.example.com/path/download.php?filename=somefile.txt Obviously, you need to take care of a few security problems, like making sure they don't do something like http://www.example.com/path/download.php?filename=/etc/passwd And you'd have to make sure the file exists and such before sending it out. And determine the MIME type of the file. (I usually do this by extension.) But overall, it would work. I have a similar script, minus the authentication feature. J John Coggeshall wrote: > > Hey all.. > > I've got a question -- I'd like to restrict access to entire > directories based on if the user has been authenticated or not. > Basically, I'd like to set up a auto-include *FROM APACHE* to run a > PHP script prior to sending any documents what-so-ever and only send > the requested document if the PHP script allows it. So.. > > Request Made -> PHP Script Runs -> PHP Checks Authentication -> PHP > says OK -> Apache sends file normally > > Or.. > > Request Made -> PHP Script Runs -> PHP Checks Authentication -> PHP > says NO -> Apache stops dead in it's tracks or displays a HTTP error > > Is this possible? It has to work for any document or MIME type and be > restrictable by directory... (i.e. I just want this happening in a > /secure/ directory) > > John > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php