Jump to content

.htaccess & PHP


Janus13

Recommended Posts

This question could be asked in two different places on the forum so I'm going to post it in both - mods, I hope that's ok.

I'm trying to figure out if it's possible to get PHP and Apache .htaccess to work together to achieve a single sign on.  I have a directory security program I have written to protect directories on apache servers so it's more flexible than just having to manually create password files and us .htaccess.  At the moment I have to have it display two different login boxes. The first one is a php page that has a login form, then compares the form information to a mysql database for authentication.  If successful then it sends the user to the protected directory, and if that directory has a .htaccess file and rule setup for a password file it prompts again for user credentials.  What I want to do is figure out a way to pass the php login information to Apache so it will accept that as login credentials and not prompt the second time.  Is this possible?

Thanks for any help! I can't imagine I'm the first to want to do this, so hopefully someone has some ideas.
Link to comment
Share on other sites

One way to get PHP and Apache talking to each other is through [url=http://httpd.apache.org/docs/2.0/env.html]Apache's environmental variables[/url] and [url=http://us3.php.net/manual/en/ref.apache.php]PHP's Apache-specific[/url] functions (see links for reference). I'm assuming you have Apache 2, but it should work the same in 1.3. What I would try is once a user has logged in, use apache_setenv() in this manner:

[code]
  apache_setenv("DISABLE_HTA",1,walk_to_top);

[/code]

Then in your httpd file, change your AccessFileName directive to something like this:

[code]
  AccessFileName .htaccess env=!DISABLE_HTA

[/code]

In theory this should disable .htaccess across the entire server when the first block of code is used, although I've never tried it  ;D . If you want to disable .htaccess for just a specific directory, you could create a new <directory> block in you httpd file for each folder and define different environmental variables to set them apart. You also might be able to use the conditional statement (env=!DISABLE_HTA) in the .htaccess files themselves. Tell me how it works for you and if you need further guidance. Again, I've never tried this technique but its an interesting application.
Link to comment
Share on other sites

Oh, It's not that I want to disable .htaccess support, I know how to do that, but rather I want to use both htaccess and php/db password comparison together in a single sign on type setup. To me it would be the most secure way to do it, but from what I can tell it isn't possible the way I envision it.
Link to comment
Share on other sites

But wouldn't that accomplish the same thing? I understand in principle it isn't, but technically disabling protection is the same as authenticating. And you would only be disabling .htaccess on a per-user, per-session, per-directory (potentially) basis.

On another note take a look at this. I think this maybe closer to what you're looking for:

[url=http://us2.php.net/features.http-auth]HTTP authentication with PHP[/url]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.