Goetz Lohmann schrieb:
> Goetz Lohmann schrieb:
>
>>Shams schrieb:
>>
>>
>>>Hi,
>>>
>>>i've written a secure PHP login script which will allow users to login to a
>>>directory such as this:
>>>
>>>smezone.com/members/index.php
>>>
>>>however, how do I restrict people from accessing HTML files in that
>>>directory (which they can easily do so by typing the URL into their
>>>browser), such as:
>>>
>>>smezone.com/members/document1.html
>>>
>>>?
>>>
>>>Since its a regular HTML files (and we have lots), I can't check whether the
>>>user has a valid session as I would do in a PHP file.
>>>
>>
>>
>>if you are using linux & apache ... just use a .htaccess file like the one below
>>
>>AuthUserFile /usr/home/.htpasswd
>>AuthName "Secret Area"
>>AuthType Basic
>><FilesMatch "\.(gif|jpe?g|png|htm|html)$">
>> require valid-user
>></FilesMatch>
>>
>>with this you restrict access only to users listet in the /usr/home/.htpasswd
>>files which look like
>>
>>user1:668c1d6Hc6yCg
>>test:85FRBo8cHrAZc
>>
>>the code after ":" is a MD5 key
>>the FilesMatch mean that all files ending with .gif,.html,.. is restricted and
>>.php is not.
>>
>>in a php file you now can read the authentications from a user and compare it
>>with the /usr/home/.htpasswd entrys.
>>
>><?php
>> ...
>> if (!isset($PHP_AUTH_USER)) {
>> // $PHP_AUTH_USER is empty ... no login
>> header('WWW-Authenticate: Basic realm="My Private Stuff"');
>> header('HTTP/1.0 401 Unauthorized');
>> echo 'Authorization Required.';
>> exit;
>> }
>> // If not empty, check authentication ...
>> else {
>> if ($PHP_AUTH_USER==$username && $PHP_AUTH_PW==$mypasswd) {
>> echo "<P>Your Login is OK";
>>?>
>>...
>><?php
>> } else {
>> echo "<P>wrong login !";
>> }
>> }
>>?>
>>
>>note that the the /usr/home/.htpasswd file must include all usernames and
>>passwords as MD5. You can create a line of this file with:
>>
>><?php
>> echo "$username:".md5($mypasswd);
>>?>
>>
>>maybe you also can use "mod_auth_db" ... but this is apache specific so
>>take a look at http://httpd.apache.org/docs/mod/core.html
>
>
>
> ups ... dont use the default md5() function cause it is not equal to that of
> linux in .htpasswd files, use instead:
>
> <?php
> $password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2));
> ?>
>
> to generate a MD5 password
maybe take a look at
http://www.diegonet.com/support/mod_auth_mysql.shtml
;-)
--
@ Goetz Lohmann, Germany | Web-Developer & Sys-Admin
\/ ------------------------------------------------------
() He's the fellow that people wonder what he does and
|| why the company needs him, until he goes on vacation.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
