ktuimala Posted October 14, 2007 Share Posted October 14, 2007 I have been protecting directories with .htaccess files for a while now. However, as you get a lot of users that need to authenticate to a directory you can start to have performance issues on the server. I then started to stream all content through PHP to the user, but if you have large files, and lots of hits to the server, you will also begin to experience performance issues. Not to mention you have issues with some web hosts not giving you control over the execution time limits of a PHP script, which will halt all php initiated streams. I got to thinking. Instead of authenticating each user through a .htaccess file I could have a .htaccess file that would only allow one user to authenticate to the directory and all files inside from outside the server. This one user would be operated by the PHP script. The user visiting the site would have no idea of this authentication mechanism. Essentially if they wanted to download a file from directory x, the only way they would be able to do so would be through the php script. If they visited the directory directly without being passed through the PHP script, they would be denied access. This would allow normal PHP authentication and access mechanisms for protected directory and file access. I have seen various sites employ a theory like this, at least that is how I perceive it. I, the visiting user, would not have to log in to access the sites download section. However if I navigate to the web directory without the aid of the sites PHP scripts, I get an access denied message. My problem is, I don't know quite how to make this happen. I am not sure how to give PHP the ability to authenticate the users browser session with a set of user credentials unknown to the visiting user so that they can have access to the protected directory or file. Does anyone know how to point me in the right direction to make this happen? Thanks in advance. Quote Link to comment Share on other sites More sharing options...
sen5241b Posted October 16, 2007 Share Posted October 16, 2007 I have been protecting directories with .htaccess files for a while now. However, as you get a lot of users that need to authenticate to a directory you can start to have performance issues on the server. I then started to stream all content through PHP to the user, but if you have large files, and lots of hits to the server, you will also begin to experience performance issues. Not to mention you have issues with some web hosts not giving you control over the execution time limits of a PHP script, which will halt all php initiated streams. I got to thinking. Instead of authenticating each user through a .htaccess file I could have a .htaccess file that would only allow one user to authenticate to the directory and all files inside from outside the server. This one user would be operated by the PHP script. The user visiting the site would have no idea of this authentication mechanism. Essentially if they wanted to download a file from directory x, the only way they would be able to do so would be through the php script. If they visited the directory directly without being passed through the PHP script, they would be denied access. This would allow normal PHP authentication and access mechanisms for protected directory and file access. I have seen various sites employ a theory like this, at least that is how I perceive it. I, the visiting user, would not have to log in to access the sites download section. However if I navigate to the web directory without the aid of the sites PHP scripts, I get an access denied message. My problem is, I don't know quite how to make this happen. I am not sure how to give PHP the ability to authenticate the users browser session with a set of user credentials unknown to the visiting user so that they can have access to the protected directory or file. Does anyone know how to point me in the right direction to make this happen? Thanks in advance. This is very similar to my recent post entitled: "When .htaccess can't protect a file". I' convinced apache or Unix/Linux security is the best way to protect files from direct access. Quote Link to comment Share on other sites More sharing options...
ktuimala Posted October 21, 2007 Author Share Posted October 21, 2007 I am attempting to allow people to log in via my PHP authentication mechanism and allow them to also be simultaneously authenticated with the web browser to have direct access to a given web directory that they wouldn't normally have access to. I am trying to avoid a dual login. One to my PHP scripts and another to the protected web directory. There is nothing worse than having to log in twice to do something. Anyone know how to constructively do this? I would like to accomplish this on shared web hosting where I don't have control over the Unix/Linux box but do have access to make .htaccess files to protect a directory. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.