[PHP] Re: restricting acces to files
Shams schrieb:
Hi,
i've written a secure PHP login script which will allow users to login to a
directory such as this:
smezone.com/members/index.php
however, how do I restrict people from accessing HTML files in that
directory (which they can easily do so by typing the URL into their
browser), such as:
smezone.com/members/document1.html
?
Since its a regular HTML files (and we have lots), I can't check whether the
user has a valid session as I would do in a PHP file.
if you are using linux apache ... just use a .htaccess file like the one below
AuthUserFile /usr/home/.htpasswd
AuthName Secret Area
AuthType Basic
FilesMatch \.(gif|jpe?g|png|htm|html)$
require valid-user
/FilesMatch
with this you restrict access only to users listet in the /usr/home/.htpasswd
files which look like
user1:668c1d6Hc6yCg
test:85FRBo8cHrAZc
the code after : is a MD5 key
the FilesMatch mean that all files ending with .gif,.html,.. is restricted and
.php is not.
in a php file you now can read the authentications from a user and compare it
with the /usr/home/.htpasswd entrys.
?php
...
if (!isset($PHP_AUTH_USER)) {
// $PHP_AUTH_USER is empty ... no login
header('WWW-Authenticate: Basic realm=My Private Stuff');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
// If not empty, check authentication ...
else {
if ($PHP_AUTH_USER==$username $PHP_AUTH_PW==$mypasswd) {
echo PYour Login is OK;
?
...
?php
} else {
echo Pwrong login !;
}
}
?
note that the the /usr/home/.htpasswd file must include all usernames and
passwords as MD5. You can create a line of this file with:
?php
echo $username:.md5($mypasswd);
?
maybe you also can use mod_auth_db ... but this is apache specific so
take a look at http://httpd.apache.org/docs/mod/core.html
--
@ Goetz Lohmann, Germany | Web-Developer Sys-Admin
\/ --
() He's the fellow that people wonder what he does and
|| why the company needs him, until he goes on vacation.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: restricting acces to files
Goetz Lohmann schrieb: Shams schrieb: Hi, i've written a secure PHP login script which will allow users to login to a directory such as this: smezone.com/members/index.php however, how do I restrict people from accessing HTML files in that directory (which they can easily do so by typing the URL into their browser), such as: smezone.com/members/document1.html ? Since its a regular HTML files (and we have lots), I can't check whether the user has a valid session as I would do in a PHP file. maybe take a look at: http://hotwired.lycos.com/webmonkey/00/05/index2a_page3.html?tw=programming but note that normaly $PHP_AUTH_PW is the password in clear text, but the .htaccess file stores it as a md5 key! -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: restricting acces to files
Goetz Lohmann schrieb:
Shams schrieb:
Hi,
i've written a secure PHP login script which will allow users to login to a
directory such as this:
smezone.com/members/index.php
however, how do I restrict people from accessing HTML files in that
directory (which they can easily do so by typing the URL into their
browser), such as:
smezone.com/members/document1.html
?
Since its a regular HTML files (and we have lots), I can't check whether the
user has a valid session as I would do in a PHP file.
if you are using linux apache ... just use a .htaccess file like the one below
AuthUserFile /usr/home/.htpasswd
AuthName Secret Area
AuthType Basic
FilesMatch \.(gif|jpe?g|png|htm|html)$
require valid-user
/FilesMatch
with this you restrict access only to users listet in the /usr/home/.htpasswd
files which look like
user1:668c1d6Hc6yCg
test:85FRBo8cHrAZc
the code after : is a MD5 key
the FilesMatch mean that all files ending with .gif,.html,.. is restricted and
.php is not.
in a php file you now can read the authentications from a user and compare it
with the /usr/home/.htpasswd entrys.
?php
...
if (!isset($PHP_AUTH_USER)) {
// $PHP_AUTH_USER is empty ... no login
header('WWW-Authenticate: Basic realm=My Private Stuff');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
// If not empty, check authentication ...
else {
if ($PHP_AUTH_USER==$username $PHP_AUTH_PW==$mypasswd) {
echo PYour Login is OK;
?
...
?php
} else {
echo Pwrong login !;
}
}
?
note that the the /usr/home/.htpasswd file must include all usernames and
passwords as MD5. You can create a line of this file with:
?php
echo $username:.md5($mypasswd);
?
maybe you also can use mod_auth_db ... but this is apache specific so
take a look at http://httpd.apache.org/docs/mod/core.html
ups ... dont use the default md5() function cause it is not equal to that of
linux in .htpasswd files, use instead:
?php
$password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2));
?
to generate a MD5 password
--
@ Goetz Lohmann, Germany | Web-Developer Sys-Admin
\/ --
() He's the fellow that people wonder what he does and
|| why the company needs him, until he goes on vacation.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: restricting acces to files
Goetz Lohmann schrieb:
Goetz Lohmann schrieb:
Shams schrieb:
Hi,
i've written a secure PHP login script which will allow users to login to a
directory such as this:
smezone.com/members/index.php
however, how do I restrict people from accessing HTML files in that
directory (which they can easily do so by typing the URL into their
browser), such as:
smezone.com/members/document1.html
?
Since its a regular HTML files (and we have lots), I can't check whether the
user has a valid session as I would do in a PHP file.
if you are using linux apache ... just use a .htaccess file like the one below
AuthUserFile /usr/home/.htpasswd
AuthName Secret Area
AuthType Basic
FilesMatch \.(gif|jpe?g|png|htm|html)$
require valid-user
/FilesMatch
with this you restrict access only to users listet in the /usr/home/.htpasswd
files which look like
user1:668c1d6Hc6yCg
test:85FRBo8cHrAZc
the code after : is a MD5 key
the FilesMatch mean that all files ending with .gif,.html,.. is restricted and
.php is not.
in a php file you now can read the authentications from a user and compare it
with the /usr/home/.htpasswd entrys.
?php
...
if (!isset($PHP_AUTH_USER)) {
// $PHP_AUTH_USER is empty ... no login
header('WWW-Authenticate: Basic realm=My Private Stuff');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
// If not empty, check authentication ...
else {
if ($PHP_AUTH_USER==$username $PHP_AUTH_PW==$mypasswd) {
echo PYour Login is OK;
?
...
?php
} else {
echo Pwrong login !;
}
}
?
note that the the /usr/home/.htpasswd file must include all usernames and
passwords as MD5. You can create a line of this file with:
?php
echo $username:.md5($mypasswd);
?
maybe you also can use mod_auth_db ... but this is apache specific so
take a look at http://httpd.apache.org/docs/mod/core.html
ups ... dont use the default md5() function cause it is not equal to that of
linux in .htpasswd files, use instead:
?php
$password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2));
?
to generate a MD5 password
maybe take a look at
http://www.diegonet.com/support/mod_auth_mysql.shtml
;-)
--
@ Goetz Lohmann, Germany | Web-Developer Sys-Admin
\/ --
() He's the fellow that people wonder what he does and
|| why the company needs him, until he goes on vacation.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
