Jump to content

[SOLVED] Handling HTTP Basic Authentication with PHP

rtoscano

By rtoscano
in PHP Coding Help

 Share

Recommended Posts

rtoscano Newbie

rtoscano

Posted
Posted

Hi,

 

I've been searching the internet for a few hours and have hit all too many tutorials/articles about how to request HTTP credentials from a user using PHP. This is not what I want to do.

 

I am running Apache 2 with PHP 5. I have a protected area in my website that I want to protect with HTTP basic authentication. However, I have a PHP login/logout mechanism where usernames and passwords are grabbed from a database and has nothing to do with the HTTP authentication. What I would like to do is when the user successfully logs in with my PHP script, they will also be HTTP authenticated with Apache. In other words, if the user tries to access the protected content, they won't be prompted with the browser credential input box. Instead, they will never see this prompt because my PHP script took care of it.

 

Do I have to write the Authentication headers myself? Can I store a cookie on the client so that Apache will think they're authenticated? Is there an easier way to do this? Thanks in advance.

Link to comment
Share on other sites
monk.e.boy Newbie

monk.e.boy

Posted
Posted

What you are asking doesn't make sense. You do HTTP authentication with .htaccess and apache. If you want your PHP script to log in automatically, don't use HTTP authentication. Just use normal PHP authentication.

 

It sounds like you are using the wrong tools for the job.

 

What exactly are you trying to accomplish?

 

monk.e.boy

Link to comment
Share on other sites
rtoscano Newbie

rtoscano

Posted
  • Author
Posted

I guess I should have been clearer in my first post. The reason why I cannot protect the protected area with my PHP authentication mechanism is that they are not PHP files. The only way I could think of protecting image files like .jpg, .gif, and other non .php files was to use HTTP authentication. I don't want these files available to people who haven't logged in to the PHP mechanism, but I do want them available to people who are logged in. However, I don't want to prompt them for a separate user name and password just so they can access the protected content after they've already logged in. I hope I made my task clearer and I really appreciate the quick response.

Link to comment
Share on other sites
rtoscano Newbie

rtoscano

Posted
  • Author
Posted

Thanks for the tip, I never thought to search for the hot-linking problem. However, this doesn't seem like a very secure way to protect my image files from people who don't have an account with my website. Couldn't I synthesize an HTTP request that has the appropriate referrer in order to gain access to the images? Couldn't I obtain this appropriate referrer from observing an existing HTTP request? What about browsers that don't support including a referrer in their image request? Will I have to synthesize an appropriate HTTP request for every image request that they make? Isn't there a way to place a cookie on the client's machine that will let apache know that this user is already valid?

 

My site is protected with SSL which means that any password exchange is encrypted. And I suppose so to would be the HTTP referrer. So I guess the hot-linking solution would work, it just doesn't seem like a very clean way of going about things. I'd have to make entries for different file types and for different directories (if the protected areas are scattered). Any other solutions? Thanks again.

Link to comment
Share on other sites
monk.e.boy Newbie

monk.e.boy

Posted
Posted

the only thing I can think of is doing something like:

 

<?php

if( is_logged_in() )
{
  @readfile('/images/cittens.jpg');
}

?>

 

Save this file as cittens.php, then include the file as <img src="kittens.php">

 

You may need to mangle the headers to make them 'img/jpg'. You could also move the images out of the web folder, so only php can access them and apache can't access them. On my set up apache can access anything beneath /var/www/html/, so I would put my images in /usr/website/images/kitten.jpg

 

I have no idea if this exact code will work, but the concept should do.

 

monk.e.boy

Link to comment
Share on other sites
rtoscano Newbie

rtoscano

Posted
  • Author
Posted

Wow, I like the solution you described monk.e.boy. I could have a php page, serveImage.php, that takes in some url arguments like the path to the image, and then write the appropriate images headers to send the image back. I wonder what kind of effects this will have on the browser experience and other parts of my website. I'll try to implement this and post if there were any drawbacks or anything I can't think of now. Thanks again for the solution.

 

Thanks mbtaylor for your suggestion, but that is not what I want to do as I said in my first post on this thread. That tutorial shows you how to ask the user for HTTP authentication credentials with PHP. I do not want to prompt the user for these credentials. But according to monk.e.boy, I won't even need to use HTTP authentication.

 

And I believe the solution you provided, ShogunWarrior, is similar to monk.e.boy's.

 

Could this also be a solution for the hot-linking problem?

Link to comment
Share on other sites
monk.e.boy Newbie

monk.e.boy

Posted
Posted

Could this also be a solution for the hot-linking problem?

 

Heheh, well, if there is a function that solves hot linking and it is built into PHP already. I would hazard a guess that some one beat you to it  ;) ;)

 

If I were you I'd do some .htaccess re-write rules that change any URL with a .png|.jpg|.gif to redirect to your PHP script that checks that the user is logged in, then displays the image. If they are not logged in you can display an images saying 'not logged in'

 

Imageshack.com does this when an image exceeds bandwidth for a month, they replace it with a message.

 

monk.e.boy

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.