----- Original Message ----- From: listgroups08 Hello all,
I am creating a web based interface to a large database that includes personal information. In the past I have used php session control to authenticate members but now due to the personal information, I am wondering if I should make things more secure. Members will come and go and an administrator will have to approve new members and delete members from time to time. I am considering getting php to manages a .htaccess file so that the security of Apache basic auth is added as a layer around php. The problem is that different users will have access to a different range of information which will overlap in places. I am not really concerned that one member may attempt to hack privileges, it is more about the general public. Is there a way to find out the current users basic auth user name? If there is then I can simply use php to determine access privileges by the basic auth user name and have the best of both worlds so to speak. I know there are POSIX commands that relate to file access but what is there in php that will tell me a users basic auth username? Thanks, ------------------------------------ It's me again. I found the answers to the last questions and now I have a new question. The answers are - User Name: $_SERVER['PHP_AUTH_USER'] Password: $_SERVER['PHP_AUTH_PW'] Auth Type: $_SERVER['AUTH_TYPE'] And to generate an encryption for use in .htaccess passwd file for Basic Auth (Linux) - $string = $username . ':' . crypt($password, base64_encode($passoword))) . "\n"; One CAUTION - Basic Auth (require valid-user) is session based on the server. The user being 'GROUP' in the attributes 'OWNER', 'GROUP', 'USER' or 'USER', 'GROUP', 'WORLD'. This means that if you are on a shared server then another person on the same server can use a basic auth page on their website that links to your restricted area and the server will allow the session to continue as authorised (valid-user). So you have to destroy the session at the start or better still re-authenticate the user in the background and register a authentication flag into the session. The new question! I am running WAMP 2.0 (the latest version) as a development environment on windows XP and I am very happy with it but now there is one problem. How do I get Basic Auth to work on WAMP just the same way Basic Auth runs on my Linux based servers? All seems to be ok in XP but the encripted strings that are used in .htaccess or passwd files do not work with the same passwords that are used in the Linux environment. I am quite happy to use a different encryption algorithm in the development environment and then to swap algorithms when a site goes online but I don't know what algorithm to use on a windows based server (not IIS - still Apache). Another possibility may be to get Apache to store passwords in plain text. This would be fine in a development environment. Is this possible? And if so How do I confure it so? Thanks.
