Jump to content

Simulate HTTP Authentication bypassing Login

barkster

By barkster
in PHP Coding Help

 Share

Recommended Posts

barkster Regular Member

barkster

Posted
Posted

I've have some folder that are password protected with htaccess files and htpasswd files.  On users that own the folders I want them to be able to view without having to login when they view files in that folder.  I thought that it may be possible by setting $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW'] variables but it doesn't seem to work.  Is there a way I can make php think that the user is authenticated for that resource?

d22552000 Regular Member

d22552000

Posted
Posted

all http logins can be bypassed by doing this to the url:

 

http://username:password@login.somesite.com/

 

put a username:password where the sites http login is.

It will auto login using those in the url, and then ask if it doesnt get in.

MadTechie Regular Member

MadTechie

Posted
Posted

bypassed ?

 

you could also setup .htaccess file I stop any access to the directory appart from the ip address of the company providing the service.

 

then have a php script read from that path

 

or have the files stored outside of the public_html folder and use php to read from their..

barkster Regular Member

barkster

Posted
  • Author
Posted

I'm trying to do something like this, this is rough. I want to restrict with my stand htaccess file and htpasswd file but if the user who created the directory created it, then I don't want them to have to login.  I was hoping I could pass the authentication through code somehow so apache thought it has been authenticated.

 

function authenticate($realm) {
    header('WWW-Authenticate: Basic realm="'.$realm.'"');
    header('HTTP/1.0 401 Unauthorized');
    echo "You must enter a valid login ID and password to access this gallery\n";
    exit;
}
if(!$msg) {
session_start();
//check to see if private
if($row['Password']=="1"){
	//$auth = $row['UserID'].$row['Folder'];
	$foldername = $row['Folder'];	
	if($_SESSION['UserID']==$row['UserID']) {
		define('USER_AUTHENTICATED',true);
		$_SERVER['PHP_AUTH_USER']=$foldername;
		$_SERVER['PHP_AUTH_PW']=$row['Pwd'];	
	}
	require_once 'http_authenticate.php';		
	//validate login information

	echo $_SERVER['PHP_AUTH_DIGEST']; 
	if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
		// this simply means that they have submitted the login form for this realm
		$htpasswd = "Gallery/".$row['UserID']."/".$row['Folder']."/.htpasswd";
		$auth=http_authenticate($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'],$htpasswd);
		define('USER_AUTHENTICATED',$auth);
	}
	if($foldername == $_SERVER['PHP_AUTH_USER'] && $_SESSION['UserID']!=$row['UserID']) {
		authenticate($row['Folder']);
	}
	if($_SESSION['UserID']!=$row['UserID']) {
		if(defined('USER_AUTHENTICATED') && USER_AUTHENTICATED) {
			// authentication successful - show the content

		} else {
			authenticate($row['Folder']);
		}
	}

hitman6003 Newbie

hitman6003

Posted
Posted

If you are using htaccess for authentication control, you can't have php tell apache that a user is authenticated...Apache will see, and utilize, the htaccess file before it even opens the .php file to read it and see what's in it.

 

You may be able to play with the authentication headers, if you redirect the user from a php file to your protected file, and see if that will work...this may help:

 

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8

barkster Regular Member

barkster

Posted
  • Author
Posted

I see what your saying my problem is that only the images in the folder are password protected so when the page is displayed, you see the page and then when the first image loads it fires the authentication.    I'm probably going about this wrong.  I want to password protect some folder so that they cannot be hotlinked and be opened directly from the link.  The only way I new to protect them was by using at htaccess/htpasswd  file.  How else could I do this so the files in the folder cannot be viewed without a password input.  Thanks for the help.

dbo Member

dbo

Posted
Posted

My solution would be to store them in a database so you can manage it all through code instead of 15 different configurations thats change depending on your host... but there are people here who will debate storing images or other binary data in a database. :)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.