Simplest scheme for password protection?

Hello,

I'm using PHP 4.4.4 with MySQL 5.0. I have a USERS table wher I store
a username and password for each user. I have a directory (containing
both HTML and PHP files) that I would like only logged in users to
access. What is the simplest scheme for password protecting thsi
directory? I would prefer not to touch every page and add access
control logic, but if that's the easiest way, so be it.

Your thoughts are greatly appreciated. - Dave

<laredotornado@zipmail.comwrote in message
news:1161622661.162877.145300@e3g2000cwe.googlegro ups.com...

Quote:

Hello,
>
I'm using PHP 4.4.4 with MySQL 5.0. I have a USERS table wher I store
a username and password for each user. I have a directory (containing
both HTML and PHP files) that I would like only logged in users to
access. What is the simplest scheme for password protecting thsi
directory? I would prefer not to touch every page and add access
control logic, but if that's the easiest way, so be it.
>
Your thoughts are greatly appreciated. - Dave

Dave,
if your server supports it you could use .htaccess files (apache style) to
control user access.
otherwise you can write a simple access control system and make it a
require_once in each PHP file.

Only the .htaccess will protect the html files on their own, It is often
useful to put pages and fragments that you don't want users to discover in
directories outside of the browsing path of the user, then get PHP to
include or require them as needed.

Cheers

Ron

Following on from laredotornado@zipmail.com's message. . .

Quote:

>Your thoughts are greatly appreciated. - Dave

The _simplest_ scheme may not be the /most suitable/.

Basics:
1 Don't store the password, but a hash of it
2 Check authority to run a page on every page

The simplest scheme operates as you expect with
1 Force a login (see 3)
2 Validate login and set 'OK' flag in $_SESSION
3 Check the 'OK' flag at the top of each page and redirect to login if a
problem

In case you didn't know. You can put restricted content outside the web
root. PHP will be able to access these but browsers won't. Feed that
content into your web pages somehow and you have complete control. To
do this you might use the include directive or fopen() etc.

/webroot/phppages
/webroot/imagebits
/webroot/css
/library/phots
/library/sound
/database/mysql

All the web root directories are visible to browsers none of the others
are

--
PETER FOX Not the same since the submarine business went under
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

I have seen .htaccess files, but how can they be built so that they
read from a database of stored username and passwords?

Thanks, - Dave

Ron wrote:

Quote:

<laredotornado@zipmail.comwrote in message
news:1161622661.162877.145300@e3g2000cwe.googlegro ups.com...

Quote:

Hello,

I'm using PHP 4.4.4 with MySQL 5.0. I have a USERS table wher I store
a username and password for each user. I have a directory (containing
both HTML and PHP files) that I would like only logged in users to
access. What is the simplest scheme for password protecting thsi
directory? I would prefer not to touch every page and add access
control logic, but if that's the easiest way, so be it.

Your thoughts are greatly appreciated. - Dave

>
Dave,
if your server supports it you could use .htaccess files (apache style) to
control user access.
otherwise you can write a simple access control system and make it a
require_once in each PHP file.
>
Only the .htaccess will protect the html files on their own, It is often
useful to put pages and fragments that you don't want users to discover in
directories outside of the browsing path of the user, then get PHP to
include or require them as needed.
>
Cheers
>
Ron

laredotornado@zipmail.com wrote:

Quote:

I have seen .htaccess files, but how can they be built so that they
read from a database of stored username and passwords?

That's not that simple.
You could make .htpasswd files on the fly, but that's hardly preferable, as
you'll have to create, maintain and verify the file on every change in
users.

What I'd do:
create a .htaccess file:

RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !^accesscontrol.php
RewriteRule ^(.*?)$ accesscontrol.php?file=$i&%{QUERY_STRING} [NC,L]

And handle authentication in accesscontrol.php, and possibly include the
requested files, or give a Unauthorised header.
--
Grtz,

Rik Wasmus

Thanks, Rik. This is the solution I'll pursue. But I have one follow
up question. What does "accesscontrol.php" return upon successful
authentication and upon authentication failure?

- Dave

Rik wrote:

Quote:

laredotornado@zipmail.com wrote:

Quote:

I have seen .htaccess files, but how can they be built so that they
read from a database of stored username and passwords?

>
That's not that simple.
You could make .htpasswd files on the fly, but that's hardly preferable, as
you'll have to create, maintain and verify the file on every change in
users.
>
What I'd do:
create a .htaccess file:
>
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !^accesscontrol.php
RewriteRule ^(.*?)$ accesscontrol.php?file=$i&%{QUERY_STRING} [NC,L]
>
And handle authentication in accesscontrol.php, and possibly include the
requested files, or give a Unauthorised header.
--
Grtz,
>
Rik Wasmus

laredotornado@zipmail.com wrote:

Quote:

I have seen .htaccess files, but how can they be built so that they
read from a database of stored username and passwords?
>
Thanks, - Dave
>
>
Ron wrote:
>

Quote:

>><laredotornado@zipmail.comwrote in message
>>news:1161622661.162877.145300@e3g2000cwe.googleg roups.com...
>>

Quote:

>>>Hello,
>>>
>>>I'm using PHP 4.4.4 with MySQL 5.0. I have a USERS table wher I store
>>>a username and password for each user. I have a directory (containing
>>>both HTML and PHP files) that I would like only logged in users to
>>>access. What is the simplest scheme for password protecting thsi
>>>directory? I would prefer not to touch every page and add access
>>>control logic, but if that's the easiest way, so be it.
>>>
>>>Your thoughts are greatly appreciated. - Dave

>>
>>Dave,
>>if your server supports it you could use .htaccess files (apache style) to
>>control user access.
>>otherwise you can write a simple access control system and make it a
>>require_once in each PHP file.
>>
>>Only the .htaccess will protect the html files on their own, It is often
>>useful to put pages and fragments that you don't want users to discover in
>>directories outside of the browsing path of the user, then get PHP to
>>include or require them as needed.
>>
>>Cheers
>>
>>Ron

>
>

If you're using a MySQL database, see mod_auth_mysql (available on
sourceforge.net).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

laredotornado@zipmail.com wrote:

Quote:

Thanks, Rik. This is the solution I'll pursue. But I have one follow
up question. What does "accesscontrol.php" return upon successful
authentication and upon authentication failure?
>

$logged_in = your_own_code();
if(!$not_logged_in){
header('HTTP/1.0 401 Unauthorized');
exit;
}
$path = parse_url($_GET['file'],PHP_URL_PATH);
$file = dirname(__FILE__).'/'.$fake_url['path'];
if(!is_file($file){
header("HTTP/1.0 404 Not Found");
exit;
}
$ext = pathinfo($file,PATHINFO_EXTENSION);
if(strcasecmp($ext,'php') || strcasecmp($ext,'html'){
include($file);
exit;
}
$ext_mime = array(
'jpg' ='image/jpeg',
'pdf' ='application/pdf',
etc...);
header('Content-type: '.$ext_mime[$ext]);
readfile($file);

--
Rik Wasmus

Simplest scheme for password protection?

re: Simplest scheme for password protection?

re: Simplest scheme for password protection?

re: Simplest scheme for password protection?

re: Simplest scheme for password protection?

re: Simplest scheme for password protection?

re: Simplest scheme for password protection?

re: Simplest scheme for password protection?

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about