>A part of my website is protected with a .htaccess file. Can I somehow
bypass the username/password dialog ??
Delete the .htaccess file?
Can I somehow "hardcode" the authentication name and password in my php-file
or can I use for example a html form/mysql authentication and at the same
time set some variables or headers (or something) so the user can access the
.htaccess part ? A stupid example: if user presses a button, user gets
transferred to the protected site without the popup-dialog ?
You can put the username and password in the URL. (
http://kittyporn:se************@kitt...with_cats.jpeg )
This makes your security slightly worse than a bag of money in the
front yard of a bank with a flashing neon sign on it "Thou Shalt
Not Steal, Please", since the username and password go through the
user's browser.
A more secure alternative, assuming you can modify the protected
content section, is to use sessions. The unprotected page sets a
session variable allowing access, and the protected page checks for
it INSTEAD of using the .htaccess file. Of course, you have to
make sure the unprotected page only allows access when it should.
Be sure that sessions eventually expire so a user who posts the
session cookie won't let unauthorized users in for very long.
Another technique that may be used in combination with the above
is that protected content (especially images) is stored outside the
document tree and is OUTPUT only when access is granted (which can
eliminate things like unauthorized deep linking and/or passwords
showing up in browsers). For example, if access is granted, output
a header "Content-type: image/jpeg", a blank line, and call readfile()
on the image file which is kept OUTSIDE the document tree so there's
no URL to get it directly. If access is not granted, output an
error message or an ad for access.
Gordon L. Burditt
