470,815 Members | 1,104 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,815 developers. It's quick & easy.

Problem with HTTP Auth

i have a problem concerning a php script i worte some time ago.
It is a rather simple thing. On a Site you login via a html form which
points to a php that checks the username and password, and knowing this
it sends each user to his own http atuh protected directory.

i used http://user:p...@domain.com/user for each of them.

facts:
all of these directories are protected with basic auth of apache
there are pdf and other downloadable files there
and one php index page with links to the files.

problems:
ie6 sp2 does no longer support user:pass@ notation.
all other browsers do (as i know):
mozilla/firefox/epiphany/konqueror/opera/even lynx
nevertheless i'd like to support ie too

one solution is that i link to http://domain.com/user ans the browser
would ask for the username again, which is ugly

another solution is that i do not user http auth, protect the php vom
viewing, but everyone nowing a deeplink could download the files, which
i definitly don't want.

one more solution could be links to each users directory and only the
browser asks for user and pass, but no user should (in ideal case) know
that another user exists. i don't want a page (viewable for all) where
there are all users listed.

okay, ... deeplinks are also not what i wand. no user should have to
type deeplinks to his dir.

the problem is that ie does not only trow another login box, this would
be okay if other browsers work "normally". but ie gets an error
page.... syntax error. which i don't like to see.

so.: i hope the problem is clear.
i use header(Location: ???) for redirection.
i tried some hacks to include Auth credentials in the header, but had
no success.

any solution providing protection for my downloadable files, working in
all browsers would be a charm.

thanks in advance

thomas

Mar 18 '06 #1
3 1460
Th****************@gmail.com wrote:
one solution is that i link to http://domain.com/user ans the browser
would ask for the username again, which is ugly


Still, this sounds like the best solution. The problem being that the way
this works with IE, is that it remembers your input and re-sends it with
each page request that includes an authentication header.

The only thing you need to change is the "again" bit for IE users...
JW
Mar 18 '06 #2
yes, thats true but in firefox&co it also remembers and resends the
information allthough it has never been entered into the ugly browser
box, but only in my form.
and i think it is not possible to let users input the user/pass
combination twice. once into the form, and a second later into the
dialog box of the browser. this is ugly. really.

Mar 18 '06 #3
Th****************@gmail.com wrote:
i have a problem concerning a php script i worte some time ago.
It is a rather simple thing. On a Site you login via a html form which
points to a php that checks the username and password, and knowing this
it sends each user to his own http atuh protected directory.

i used http://user:p...@domain.com/user for each of them.

facts:
all of these directories are protected with basic auth of apache
there are pdf and other downloadable files there
and one php index page with links to the files.

problems:
ie6 sp2 does no longer support user:pass@ notation.
all other browsers do (as i know):
mozilla/firefox/epiphany/konqueror/opera/even lynx
nevertheless i'd like to support ie too

one solution is that i link to http://domain.com/user ans the browser
would ask for the username again, which is ugly

another solution is that i do not user http auth, protect the php vom
viewing, but everyone nowing a deeplink could download the files, which
i definitly don't want.

one more solution could be links to each users directory and only the
browser asks for user and pass, but no user should (in ideal case) know
that another user exists. i don't want a page (viewable for all) where
there are all users listed.

okay, ... deeplinks are also not what i wand. no user should have to
type deeplinks to his dir.

the problem is that ie does not only trow another login box, this would
be okay if other browsers work "normally". but ie gets an error
page.... syntax error. which i don't like to see.

so.: i hope the problem is clear.
i use header(Location: ???) for redirection.
i tried some hacks to include Auth credentials in the header, but had
no success.

any solution providing protection for my downloadable files, working in
all browsers would be a charm.

thanks in advance

thomas


One way to do it is with Apache rewrite. When the user logs in, the PHP
script adds an entry to a rewrite map, with the user's session id
pointing to his user name. When the tries to user accesses a file in
his folder, mod_rewrite would get the user's session id from the
cookie, then check to see if a matching entry in the rewrite map. If it
exists, it rewrites the url to the private folder, using the user name
from the map. If not, it sends the user to a page showing an error
message.

Mar 19 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

9 posts views Thread by Bartosz Wegrzyn | last post: by
reply views Thread by Frank Zheng | last post: by
4 posts views Thread by Barry | last post: by
2 posts views Thread by Joseph Geretz | last post: by
1 post views Thread by Andrew | last post: by
1 post views Thread by David Gómez Gómez | last post: by
reply views Thread by Albertas | last post: by
6 posts views Thread by oooobs | last post: by
reply views Thread by mihailmihai484 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.