[PHP] Re: restricting acces to files
Shams schrieb: Hi, i've written a secure PHP login script which will allow users to login to a directory such as this: smezone.com/members/index.php however, how do I restrict people from accessing HTML files in that directory (which they can easily do so by typing the URL into their browser), such as: smezone.com/members/document1.html ? Since its a regular HTML files (and we have lots), I can't check whether the user has a valid session as I would do in a PHP file. if you are using linux apache ... just use a .htaccess file like the one below AuthUserFile /usr/home/.htpasswd AuthName Secret Area AuthType Basic FilesMatch \.(gif|jpe?g|png|htm|html)$ require valid-user /FilesMatch with this you restrict access only to users listet in the /usr/home/.htpasswd files which look like user1:668c1d6Hc6yCg test:85FRBo8cHrAZc the code after : is a MD5 key the FilesMatch mean that all files ending with .gif,.html,.. is restricted and .php is not. in a php file you now can read the authentications from a user and compare it with the /usr/home/.htpasswd entrys. ?php ... if (!isset($PHP_AUTH_USER)) { // $PHP_AUTH_USER is empty ... no login header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } // If not empty, check authentication ... else { if ($PHP_AUTH_USER==$username $PHP_AUTH_PW==$mypasswd) { echo PYour Login is OK; ? ... ?php } else { echo Pwrong login !; } } ? note that the the /usr/home/.htpasswd file must include all usernames and passwords as MD5. You can create a line of this file with: ?php echo $username:.md5($mypasswd); ? maybe you also can use mod_auth_db ... but this is apache specific so take a look at http://httpd.apache.org/docs/mod/core.html -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: restricting acces to files
Goetz Lohmann schrieb: Shams schrieb: Hi, i've written a secure PHP login script which will allow users to login to a directory such as this: smezone.com/members/index.php however, how do I restrict people from accessing HTML files in that directory (which they can easily do so by typing the URL into their browser), such as: smezone.com/members/document1.html ? Since its a regular HTML files (and we have lots), I can't check whether the user has a valid session as I would do in a PHP file. maybe take a look at: http://hotwired.lycos.com/webmonkey/00/05/index2a_page3.html?tw=programming but note that normaly $PHP_AUTH_PW is the password in clear text, but the .htaccess file stores it as a md5 key! -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: restricting acces to files
Goetz Lohmann schrieb: Shams schrieb: Hi, i've written a secure PHP login script which will allow users to login to a directory such as this: smezone.com/members/index.php however, how do I restrict people from accessing HTML files in that directory (which they can easily do so by typing the URL into their browser), such as: smezone.com/members/document1.html ? Since its a regular HTML files (and we have lots), I can't check whether the user has a valid session as I would do in a PHP file. if you are using linux apache ... just use a .htaccess file like the one below AuthUserFile /usr/home/.htpasswd AuthName Secret Area AuthType Basic FilesMatch \.(gif|jpe?g|png|htm|html)$ require valid-user /FilesMatch with this you restrict access only to users listet in the /usr/home/.htpasswd files which look like user1:668c1d6Hc6yCg test:85FRBo8cHrAZc the code after : is a MD5 key the FilesMatch mean that all files ending with .gif,.html,.. is restricted and .php is not. in a php file you now can read the authentications from a user and compare it with the /usr/home/.htpasswd entrys. ?php ... if (!isset($PHP_AUTH_USER)) { // $PHP_AUTH_USER is empty ... no login header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } // If not empty, check authentication ... else { if ($PHP_AUTH_USER==$username $PHP_AUTH_PW==$mypasswd) { echo PYour Login is OK; ? ... ?php } else { echo Pwrong login !; } } ? note that the the /usr/home/.htpasswd file must include all usernames and passwords as MD5. You can create a line of this file with: ?php echo $username:.md5($mypasswd); ? maybe you also can use mod_auth_db ... but this is apache specific so take a look at http://httpd.apache.org/docs/mod/core.html ups ... dont use the default md5() function cause it is not equal to that of linux in .htpasswd files, use instead: ?php $password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2)); ? to generate a MD5 password -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: restricting acces to files
Goetz Lohmann schrieb: Goetz Lohmann schrieb: Shams schrieb: Hi, i've written a secure PHP login script which will allow users to login to a directory such as this: smezone.com/members/index.php however, how do I restrict people from accessing HTML files in that directory (which they can easily do so by typing the URL into their browser), such as: smezone.com/members/document1.html ? Since its a regular HTML files (and we have lots), I can't check whether the user has a valid session as I would do in a PHP file. if you are using linux apache ... just use a .htaccess file like the one below AuthUserFile /usr/home/.htpasswd AuthName Secret Area AuthType Basic FilesMatch \.(gif|jpe?g|png|htm|html)$ require valid-user /FilesMatch with this you restrict access only to users listet in the /usr/home/.htpasswd files which look like user1:668c1d6Hc6yCg test:85FRBo8cHrAZc the code after : is a MD5 key the FilesMatch mean that all files ending with .gif,.html,.. is restricted and .php is not. in a php file you now can read the authentications from a user and compare it with the /usr/home/.htpasswd entrys. ?php ... if (!isset($PHP_AUTH_USER)) { // $PHP_AUTH_USER is empty ... no login header('WWW-Authenticate: Basic realm=My Private Stuff'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } // If not empty, check authentication ... else { if ($PHP_AUTH_USER==$username $PHP_AUTH_PW==$mypasswd) { echo PYour Login is OK; ? ... ?php } else { echo Pwrong login !; } } ? note that the the /usr/home/.htpasswd file must include all usernames and passwords as MD5. You can create a line of this file with: ?php echo $username:.md5($mypasswd); ? maybe you also can use mod_auth_db ... but this is apache specific so take a look at http://httpd.apache.org/docs/mod/core.html ups ... dont use the default md5() function cause it is not equal to that of linux in .htpasswd files, use instead: ?php $password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2)); ? to generate a MD5 password maybe take a look at http://www.diegonet.com/support/mod_auth_mysql.shtml ;-) -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php