On 23 Sep 2002 at 8:14, [EMAIL PROTECTED] wrote: > I have set up a section of my company site for use by authorized dealers > only. I am currently using mysql authorization, which works for the > first page, but if someone were to type in the url of an underlying page > they would be able to get in without authorization. I know I could use > .htaccess for handling this but with a minimum of 350 -400 users to keep > track of that would be unwieldly to say the least, especially for my > boss who doesn't have a clue about *nix and has never even heard of > .htaccess. > > What other options do I have to keep the underlying pages from being > accessed without the user being forced to go through the logon screen?
Umm .. I did something along these lines awhile back ... yeah, I had all the public pages outside of the document root. I had every request for a page going to my script, if the person was recognized (using a cookie), I would get the page they wanted and return it. Plain cgi and was fast enough. You could do this in PHP. No one can access the restricted pages as they are outside the doc root. This is of course something for mod_perl where you can write your own auth handler and you don't need to do something as goofy as I did above. I don't think PHP has that ability. Your pages can still be in PHP. Here is an example (I just wrote this up will quick so if you go this route, do your homework) http://www.schoenster.com/authtest/ The above url is protected by a mod_perl handler which requires a cookie (script below) If you go to the above url you get redirected here: http://www.schoenster.com/login.php Enter something, cookie set, you are in. Click on welcome.php and logout to kill the cookie. I don't know how you can do this in PHP without doing something goofy like I suggest above or other suggestions I've seen. I use an .htaccess file in /authtest PerlAccessHandler Apache::GateKeeper PerlSetVar login_failure_handler 'http://www.schoenster.com/login.php' PerlSetVar column_name username The mod_perl handler is such (I just cut,pasted from some other stuff) package Apache::GateKeeper; use strict; use Apache::Constants qw(:common REDIRECT); sub handler { my $r = shift; my $location = $r->dir_config("login_failure_handler"); my $okay = get_cookie($r); if ($okay) { return DECLINED; }else { $r->status(REDIRECT); $r->header_out( Location => $location ); return 1; } } ## sub get_cookie { my $r = shift; my %headers_in = $r->headers_in; my $cookie = $headers_in{'Cookie'}; my %cookie = (); my(@bites) = split /;/,$cookie; my $n = ''; my $v = ''; for(@bites) { ($n,$v) = split /=/; $n =~ s/^\s+//; $cookie{$n} = $v; } my $username = $r->dir_config("column_name"); if($cookie{$username}) { return 1; }else { return undef; } } ## 1; Now, if you reckon I should have only given a solution as above in PHP, well, I would have if I had known one. The solutions I've seen so far are not very elegant or evolutionary imho. Can the above be done in PHP so you don't have to tell every page your write to check for permissions? Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php