.htaccess and pw files are pointless, who wants to maintain potentially
10 or 20 of these things? Furthermore, it's gotta do more than just
serve a single file at a time -- that's simple... I needed
directly-level security.

The solution I came up with was to use a module called mod_auth_any,
which (with a little minor adjustment) can execute a PHP script from the
console and rely on it's response to grant authentication or not. That
gives me Apache-level security without Apache-authentication.

John


-----Original Message-----
From: J Smith [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 06, 2002 3:58 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Re: PHP-Based Authentication Security?



An easier way to do it might be to use HTTP authentication with apache 
using .htaccess and .htpasswd files, which can be placed in the secure 
directories. (Or use one global .htpasswd file and have all .htaccess
files 
point to it.)

Another possibility would be to set up two PHP scripts, one being some 
kind of form to enter a username, password, etc., and another to check
the 
input and act as a pass-thru for the file to be downloaded. The second 
script could look something like this (obviously simplified):

if ($authenticated)
{
    header("Content-type: whatever/text");
    readfile($filename);
}
else
{
    print "You can't download this."
}

Which you would call as something like:

http://www.example.com/path/download.php?filename=somefile.txt

Obviously, you need to take care of a few security problems, like making

sure they don't do something like

http://www.example.com/path/download.php?filename=/etc/passwd

And you'd have to make sure the file exists and such before sending it
out. 
And determine the MIME type of the file. (I usually do this by
extension.) 
But overall, it would work. I have a similar script, minus the 
authentication feature. 

J


John Coggeshall wrote:

> 
> Hey all..
> 
> I've got a question -- I'd like to restrict access to entire 
> directories based on if the user has been authenticated or not. 
> Basically, I'd like to set up a auto-include *FROM APACHE* to run a 
> PHP script prior to sending any documents what-so-ever and only send 
> the requested document if the PHP script allows it. So..
> 
> Request Made -> PHP Script Runs -> PHP Checks Authentication -> PHP 
> says OK -> Apache sends file normally
> 
> Or..
> 
> Request Made -> PHP Script Runs -> PHP Checks Authentication -> PHP 
> says NO -> Apache stops dead in it's tracks or displays a HTTP error
> 
> Is this possible? It has to work for any document or MIME type and be 
> restrictable by directory... (i.e. I just want this happening in a 
> /secure/ directory)
> 
> John
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to