.htaccess and pw files are pointless, who wants to maintain potentially
10 or 20 of these things? Furthermore, it's gotta do more than just
serve a single file at a time -- that's simple... I needed
directly-level security.
The solution I came up with was to use a module called mod_auth_any,
which (with a little minor adjustment) can execute a PHP script from the
console and rely on it's response to grant authentication or not. That
gives me Apache-level security without Apache-authentication.
John
-Original Message-
From: J Smith [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 06, 2002 3:58 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Re: PHP-Based Authentication Security?
An easier way to do it might be to use HTTP authentication with apache
using .htaccess and .htpasswd files, which can be placed in the secure
directories. (Or use one global .htpasswd file and have all .htaccess
files
point to it.)
Another possibility would be to set up two PHP scripts, one being some
kind of form to enter a username, password, etc., and another to check
the
input and act as a pass-thru for the file to be downloaded. The second
script could look something like this (obviously simplified):
if ($authenticated)
{
header(Content-type: whatever/text);
readfile($filename);
}
else
{
print You can't download this.
}
Which you would call as something like:
http://www.example.com/path/download.php?filename=somefile.txt
Obviously, you need to take care of a few security problems, like making
sure they don't do something like
http://www.example.com/path/download.php?filename=/etc/passwd
And you'd have to make sure the file exists and such before sending it
out.
And determine the MIME type of the file. (I usually do this by
extension.)
But overall, it would work. I have a similar script, minus the
authentication feature.
J
John Coggeshall wrote:
Hey all..
I've got a question -- I'd like to restrict access to entire
directories based on if the user has been authenticated or not.
Basically, I'd like to set up a auto-include *FROM APACHE* to run a
PHP script prior to sending any documents what-so-ever and only send
the requested document if the PHP script allows it. So..
Request Made - PHP Script Runs - PHP Checks Authentication - PHP
says OK - Apache sends file normally
Or..
Request Made - PHP Script Runs - PHP Checks Authentication - PHP
says NO - Apache stops dead in it's tracks or displays a HTTP error
Is this possible? It has to work for any document or MIME type and be
restrictable by directory... (i.e. I just want this happening in a
/secure/ directory)
John
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php