[PHP] Re: restricting acces to files

Tue, 04 Feb 2003 02:21:11 -0800 

Shams schrieb:
> Hi,
> 
> i've written a secure PHP login script which will allow users to login to a
> directory such as this:
> 
> smezone.com/members/index.php
> 
> however, how do I restrict people from accessing HTML files in that
> directory (which they can easily do so by typing the URL into their
> browser), such as:
> 
> smezone.com/members/document1.html
> 
> ?
> 
> Since its a regular HTML files (and we have lots), I can't check whether the
> user has a valid session as I would do in a PHP file.
> 

if you are using linux & apache ... just use a .htaccess file like the one below

AuthUserFile /usr/home/.htpasswd
AuthName "Secret Area"
AuthType Basic
<FilesMatch "\.(gif|jpe?g|png|htm|html)$">
  require valid-user
</FilesMatch>

with this you restrict access only to users listet in the /usr/home/.htpasswd
files which look like

user1:668c1d6Hc6yCg
test:85FRBo8cHrAZc

the code after ":" is a MD5 key
the FilesMatch mean that all files ending with .gif,.html,.. is restricted and
.php is not.

in a php file you now can read the authentications from a user and compare it
with the /usr/home/.htpasswd entrys.

<?php
  ...
  if (!isset($PHP_AUTH_USER)) {
    // $PHP_AUTH_USER is empty ... no login
    header('WWW-Authenticate: Basic realm="My Private Stuff"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Authorization Required.';
    exit;
  }
  // If not empty, check authentication ...
  else {
    if ($PHP_AUTH_USER==$username && $PHP_AUTH_PW==$mypasswd) {
      echo "<P>Your Login is OK";
?>
...
<?php
    } else {
      echo "<P>wrong login !";
    }
  }
?>

note that the the /usr/home/.htpasswd file must include all usernames and
passwords as MD5. You can create a line of this file with:

<?php
  echo "$username:".md5($mypasswd);
?>

maybe you also can use "mod_auth_db" ... but this is apache specific so
take a look at http://httpd.apache.org/docs/mod/core.html



-- 
 @  Goetz Lohmann, Germany   |   Web-Developer & Sys-Admin
\/  ------------------------------------------------------
()  He's the fellow that people wonder what he does and
||  why the company needs him, until he goes on vacation.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to