[PHP] Re: restricting acces to files

Tue, 04 Feb 2003 06:21:41 -0800 

Goetz Lohmann schrieb:
> Shams schrieb:
> 
>>Hi,
>>
>>i've written a secure PHP login script which will allow users to login to a
>>directory such as this:
>>
>>smezone.com/members/index.php
>>
>>however, how do I restrict people from accessing HTML files in that
>>directory (which they can easily do so by typing the URL into their
>>browser), such as:
>>
>>smezone.com/members/document1.html
>>
>>?
>>
>>Since its a regular HTML files (and we have lots), I can't check whether the
>>user has a valid session as I would do in a PHP file.
>>
> 
> 
> if you are using linux & apache ... just use a .htaccess file like the one below
> 
> AuthUserFile /usr/home/.htpasswd
> AuthName "Secret Area"
> AuthType Basic
> <FilesMatch "\.(gif|jpe?g|png|htm|html)$">
>   require valid-user
> </FilesMatch>
> 
> with this you restrict access only to users listet in the /usr/home/.htpasswd
> files which look like
> 
> user1:668c1d6Hc6yCg
> test:85FRBo8cHrAZc
> 
> the code after ":" is a MD5 key
> the FilesMatch mean that all files ending with .gif,.html,.. is restricted and
> .php is not.
> 
> in a php file you now can read the authentications from a user and compare it
> with the /usr/home/.htpasswd entrys.
> 
> <?php
>   ...
>   if (!isset($PHP_AUTH_USER)) {
>     // $PHP_AUTH_USER is empty ... no login
>     header('WWW-Authenticate: Basic realm="My Private Stuff"');
>     header('HTTP/1.0 401 Unauthorized');
>     echo 'Authorization Required.';
>     exit;
>   }
>   // If not empty, check authentication ...
>   else {
>     if ($PHP_AUTH_USER==$username && $PHP_AUTH_PW==$mypasswd) {
>       echo "<P>Your Login is OK";
> ?>
> ...
> <?php
>     } else {
>       echo "<P>wrong login !";
>     }
>   }
> ?>
> 
> note that the the /usr/home/.htpasswd file must include all usernames and
> passwords as MD5. You can create a line of this file with:
> 
> <?php
>   echo "$username:".md5($mypasswd);
> ?>
> 
> maybe you also can use "mod_auth_db" ... but this is apache specific so
> take a look at http://httpd.apache.org/docs/mod/core.html


ups ... dont use the default md5() function cause it is not equal to that of
linux in .htpasswd files, use instead:

<?php
  $password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2));
?>

to generate a MD5 password


-- 
 @  Goetz Lohmann, Germany   |   Web-Developer & Sys-Admin
\/  ------------------------------------------------------
()  He's the fellow that people wonder what he does and
||  why the company needs him, until he goes on vacation.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to