.htaccess & PHP

[Janus13]

This question could be asked in two different places on the forum so I'm going to post it in both - mods, I hope that's ok.

I'm trying to figure out if it's possible to get PHP and Apache .htaccess to work together to achieve a single sign on.  I have a directory security program I have written to protect directories on apache servers so it's more flexible than just having to manually create password files and us .htaccess.  At the moment I have to have it display two different login boxes. The first one is a php page that has a login form, then compares the form information to a mysql database for authentication.  If successful then it sends the user to the protected directory, and if that directory has a .htaccess file and rule setup for a password file it prompts again for user credentials.  What I want to do is figure out a way to pass the php login information to Apache so it will accept that as login credentials and not prompt the second time.  Is this possible?

Thanks for any help! I can't imagine I'm the first to want to do this, so hopefully someone has some ideas.

[R_P]

One way to get PHP and Apache talking to each other is through [url=http://httpd.apache.org/docs/2.0/env.html]Apache's environmental variables[/url] and [url=http://us3.php.net/manual/en/ref.apache.php]PHP's Apache-specific[/url] functions (see links for reference). I'm assuming you have Apache 2, but it should work the same in 1.3. What I would try is once a user has logged in, use apache_setenv() in this manner:

[code]
  apache_setenv("DISABLE_HTA",1,walk_to_top);

[/code]

Then in your httpd file, change your AccessFileName directive to something like this:

[code]
  AccessFileName .htaccess env=!DISABLE_HTA

[/code]

In theory this should disable .htaccess across the entire server when the first block of code is used, although I've never tried it  ;D . If you want to disable .htaccess for just a specific directory, you could create a new <directory> block in you httpd file for each folder and define different environmental variables to set them apart. You also might be able to use the conditional statement (env=!DISABLE_HTA) in the .htaccess files themselves. Tell me how it works for you and if you need further guidance. Again, I've never tried this technique but its an interesting application.

[Janus13]

Oh, It's not that I want to disable .htaccess support, I know how to do that, but rather I want to use both htaccess and php/db password comparison together in a single sign on type setup. To me it would be the most secure way to do it, but from what I can tell it isn't possible the way I envision it.

[R_P]

But wouldn't that accomplish the same thing? I understand in principle it isn't, but technically disabling protection is the same as authenticating. And you would only be disabling .htaccess on a per-user, per-session, per-directory (potentially) basis.

On another note take a look at this. I think this maybe closer to what you're looking for:

[url=http://us2.php.net/features.http-auth]HTTP authentication with PHP[/url]