Jump to content

Archived

This topic is now archived and is closed to further replies.

Janus13

.htaccess & PHP

Recommended Posts

This question could be asked in two different places on the forum so I'm going to post it in both - mods, I hope that's ok.

I'm trying to figure out if it's possible to get PHP and Apache .htaccess to work together to achieve a single sign on.  I have a directory security program I have written to protect directories on apache servers so it's more flexible than just having to manually create password files and us .htaccess.  At the moment I have to have it display two different login boxes. The first one is a php page that has a login form, then compares the form information to a mysql database for authentication.  If successful then it sends the user to the protected directory, and if that directory has a .htaccess file and rule setup for a password file it prompts again for user credentials.  What I want to do is figure out a way to pass the php login information to Apache so it will accept that as login credentials and not prompt the second time.  Is this possible?

Thanks for any help! I can't imagine I'm the first to want to do this, so hopefully someone has some ideas.

Share this post


Link to post
Share on other sites
One way to get PHP and Apache talking to each other is through [url=http://httpd.apache.org/docs/2.0/env.html]Apache's environmental variables[/url] and [url=http://us3.php.net/manual/en/ref.apache.php]PHP's Apache-specific[/url] functions (see links for reference). I'm assuming you have Apache 2, but it should work the same in 1.3. What I would try is once a user has logged in, use apache_setenv() in this manner:

[code]
  apache_setenv("DISABLE_HTA",1,walk_to_top);

[/code]

Then in your httpd file, change your AccessFileName directive to something like this:

[code]
  AccessFileName .htaccess env=!DISABLE_HTA

[/code]

In theory this should disable .htaccess across the entire server when the first block of code is used, although I've never tried it  ;D . If you want to disable .htaccess for just a specific directory, you could create a new <directory> block in you httpd file for each folder and define different environmental variables to set them apart. You also might be able to use the conditional statement (env=!DISABLE_HTA) in the .htaccess files themselves. Tell me how it works for you and if you need further guidance. Again, I've never tried this technique but its an interesting application.

Share this post


Link to post
Share on other sites
Oh, It's not that I want to disable .htaccess support, I know how to do that, but rather I want to use both htaccess and php/db password comparison together in a single sign on type setup. To me it would be the most secure way to do it, but from what I can tell it isn't possible the way I envision it.

Share this post


Link to post
Share on other sites
But wouldn't that accomplish the same thing? I understand in principle it isn't, but technically disabling protection is the same as authenticating. And you would only be disabling .htaccess on a per-user, per-session, per-directory (potentially) basis.

On another note take a look at this. I think this maybe closer to what you're looking for:

[url=http://us2.php.net/features.http-auth]HTTP authentication with PHP[/url]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.