On 23 Sep 2002 at 8:14, [EMAIL PROTECTED] wrote:
> I have set up a section of my company site for use by authorized dealers
> only. I am currently using mysql authorization, which works for the
> first page, but if someone were to type in the url of an underlying page
> they would be able to get in without authorization. I know I could use
> .htaccess for handling this but with a minimum of 350 -400 users to keep
> track of that would be unwieldly to say the least, especially for my
> boss who doesn't have a clue about *nix and has never even heard of
> .htaccess.
> What other options do I have to keep the underlying pages from being
> accessed without the user being forced to go through the logon screen?

Umm .. I did something along these lines awhile back ... yeah, I had 
all the public pages outside of the document root. I had every request 
for a page going to my script, if the person was recognized (using a 
cookie), I would get the page they wanted and return it. Plain cgi and 
was fast enough. You could do this in PHP. No one can access the 
restricted pages as they are outside the doc root. 

This is of course something for mod_perl where you can write your own 
auth handler and you don't need to do something as goofy as I did 
above. I don't think PHP has that ability. Your pages can still be in 
PHP. Here is an example (I just wrote this up will quick so if you go 
this route, do your homework)


The above url is protected by a mod_perl handler which requires a 
cookie (script below)

If you go to the above url you get redirected here:


Enter something, cookie set, you are in. Click on welcome.php and 
logout to kill the cookie.

I don't know how you can do this in PHP without doing something goofy 
like I suggest above or other suggestions I've seen.

I use an .htaccess file in /authtest

PerlAccessHandler Apache::GateKeeper
PerlSetVar login_failure_handler 'http://www.schoenster.com/login.php'
PerlSetVar column_name username

The mod_perl handler is such (I just cut,pasted from some other stuff)

package Apache::GateKeeper;

use strict;
use Apache::Constants qw(:common REDIRECT);

sub handler {
    my $r = shift;
    my $location = $r->dir_config("login_failure_handler");
    my $okay = get_cookie($r);
    if ($okay) {
        return DECLINED; 
    }else {
        $r->header_out( Location => $location ); 
        return 1; 
sub get_cookie {
    my $r = shift;
    my %headers_in = $r->headers_in;
    my $cookie = $headers_in{'Cookie'};
    my %cookie = ();
    my(@bites) = split /;/,$cookie;
    my $n = '';
    my $v = '';
    for(@bites) {
        ($n,$v) = split /=/;
        $n =~ s/^\s+//;
        $cookie{$n} = $v;
    my $username = $r->dir_config("column_name");
    if($cookie{$username}) {
        return 1;
    }else {
        return undef;

Now, if you reckon I should have only given a solution as above in PHP, 
well, I would have if I had known one. The solutions I've seen so far 
are not very elegant or evolutionary imho. Can the above be done  in 
PHP so you don't have to tell every page your write to check for 


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to