Jump to content

Recommended Posts

I have been protecting directories with .htaccess files for a while now. However, as you get a lot of users that need to authenticate to a directory you can start to have performance issues on the server. I then started to stream all content through PHP to the user, but if you have large files, and lots of hits to the server, you will also begin to experience performance issues. Not to mention you have issues with some web hosts not giving you control over the execution time limits of a PHP script, which will halt all php initiated streams.

 

I got to thinking. Instead of authenticating each user through a .htaccess file I could have a .htaccess file that would only allow one user to authenticate to the directory and all files inside from outside the server. This one user would be operated by the PHP script. The user visiting the site would have no idea of this authentication mechanism. Essentially if they wanted to download a file from directory x, the only way they would be able to do so would be through the php script. If they visited the directory directly without being passed through the PHP script, they would be denied access. This would allow normal PHP authentication and access mechanisms for protected directory and file access.

 

I have seen various sites employ a theory like this, at least that is how I perceive it. I, the visiting user, would not have to log in to access the sites download section. However if I navigate to the web directory without the aid of the sites PHP scripts, I get an access denied message. My problem is, I don't know quite how to make this happen. I am not sure how to give PHP the ability to authenticate the users browser session with a set of user credentials unknown to the visiting user so that they can have access to the protected directory or file. Does anyone know how to point me in the right direction to make this happen?

 

Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/73163-php-authentication-to-directory/
Share on other sites

I have been protecting directories with .htaccess files for a while now. However, as you get a lot of users that need to authenticate to a directory you can start to have performance issues on the server. I then started to stream all content through PHP to the user, but if you have large files, and lots of hits to the server, you will also begin to experience performance issues. Not to mention you have issues with some web hosts not giving you control over the execution time limits of a PHP script, which will halt all php initiated streams.

 

I got to thinking. Instead of authenticating each user through a .htaccess file I could have a .htaccess file that would only allow one user to authenticate to the directory and all files inside from outside the server. This one user would be operated by the PHP script. The user visiting the site would have no idea of this authentication mechanism. Essentially if they wanted to download a file from directory x, the only way they would be able to do so would be through the php script. If they visited the directory directly without being passed through the PHP script, they would be denied access. This would allow normal PHP authentication and access mechanisms for protected directory and file access.

 

I have seen various sites employ a theory like this, at least that is how I perceive it. I, the visiting user, would not have to log in to access the sites download section. However if I navigate to the web directory without the aid of the sites PHP scripts, I get an access denied message. My problem is, I don't know quite how to make this happen. I am not sure how to give PHP the ability to authenticate the users browser session with a set of user credentials unknown to the visiting user so that they can have access to the protected directory or file. Does anyone know how to point me in the right direction to make this happen?

 

Thanks in advance.

 

This is very similar to my recent post entitled: "When .htaccess can't protect a file". I' convinced apache or Unix/Linux security is the best way to protect files from direct access.

I am attempting to allow people to log in via my PHP authentication mechanism and allow them to also be simultaneously authenticated with the web browser to have direct access to a given web directory that they wouldn't normally have access to. I am trying to avoid a dual login. One to my PHP scripts and another to the protected web directory. There is nothing worse than having to log in twice to do something.

 

Anyone know how to constructively do this? I would like to accomplish this on shared web hosting where I don't have control over the Unix/Linux box but do have access to make .htaccess files to protect a directory.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.