468,306 Members | 1,239 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,306 developers. It's quick & easy.

How to bypass the .htaccess popup dialog

Hello!

A part of my website is protected with a .htaccess file. Can I somehow
bypass the username/password dialog ??
Can I somehow "hardcode" the authentication name and password in my php-file
or can I use for example a html form/mysql authentication and at the same
time set some variables or headers (or something) so the user can access the
..htaccess part ? A stupid example: if user presses a button, user gets
transferred to the protected site without the popup-dialog ?

Thanks!!

Marko
Jul 17 '05 #1
1 12549
>A part of my website is protected with a .htaccess file. Can I somehow
bypass the username/password dialog ??
Delete the .htaccess file?
Can I somehow "hardcode" the authentication name and password in my php-file
or can I use for example a html form/mysql authentication and at the same
time set some variables or headers (or something) so the user can access the
.htaccess part ? A stupid example: if user presses a button, user gets
transferred to the protected site without the popup-dialog ?


You can put the username and password in the URL. (
http://kittyporn:se************@kitt...with_cats.jpeg )
This makes your security slightly worse than a bag of money in the
front yard of a bank with a flashing neon sign on it "Thou Shalt
Not Steal, Please", since the username and password go through the
user's browser.

A more secure alternative, assuming you can modify the protected
content section, is to use sessions. The unprotected page sets a
session variable allowing access, and the protected page checks for
it INSTEAD of using the .htaccess file. Of course, you have to
make sure the unprotected page only allows access when it should.
Be sure that sessions eventually expire so a user who posts the
session cookie won't let unauthorized users in for very long.

Another technique that may be used in combination with the above
is that protected content (especially images) is stored outside the
document tree and is OUTPUT only when access is granted (which can
eliminate things like unauthorized deep linking and/or passwords
showing up in browsers). For example, if access is granted, output
a header "Content-type: image/jpeg", a blank line, and call readfile()
on the image file which is kept OUTSIDE the document tree so there's
no URL to get it directly. If access is not granted, output an
error message or an ad for access.

Gordon L. Burditt
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by deko | last post: by
1 post views Thread by Nosferatum | last post: by
3 posts views Thread by Mike Hofer | last post: by
reply views Thread by NPC403 | last post: by
reply views Thread by Teichintx | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.