Authenticate and protect member folders with php/.htaccess?

[alan123]

I know there is a way to use php session/cookie to authenticate user's login and redict to member index page.
But this is only for user authentication, it doesn't provide any way to protect member folder, inside member folder, for php files, it's ok to detect session key to display or deny user's access, but for binary files such as pdf or jpeg, user can directly type url on the web browser to that file without any authentication process.
Apache .htaccess provides folder protection, but it pops up box for user enter username/password, I am looking for something which is possible to combine these two authentication togather(I need php login form instead of pop up box), so it not only use php authentication to allow user login from login form, but also protect member folder.
Is there any protection method other than .htaccess to protect whole folder?
Does anyone know if Pear::Auth or AUTH::HTTP can protect folders?

Thanks in advance for any comments.

michael

 

[alan123]

can anyone answer my question? thanks.

 

[Wishdiak]

alan123,

What you need is a two-stage approach. Let's say you want to protect /foo/bar. You could set .htaccess to require login credentials for /foo/bar and set up a script in /foo to get them using a form and Pear:Auth.

See

http://pear.php.net/manual/en/package.authentication.auth.php

Wishdiak

http://www.wishdiak.com

 

[alan123]

Wishdiak,

Thanks for the reply.
I'm new to PEAR, do you mean if I use Pear::Auth, I can combine apache htaccess and php login form together? so it not only use htaccess to protect folder, but also use php login form to pass username/password to htaccess then authenticate the user, redirect them to member index page(without pop up box for login)?
If this works, I will feel more comfortable.

thanks.

michael

 

[newbie35]

I also am trying to redirect with authentication. To just display:

<?php
$text=file("[URL unfurl="true"]http://user:password@domain.com/protected/page.html");[/URL]
foreach ($text as $line)
 {
  print $line;
 }
?>

But this leaves the browser path pointer outside the protected directory. Is there a way to actually redirect with authentication? Thanks

 

[Olavxxx]

You can store the login in sessions, then it will be passed..

I think that if you wish to also protect images with login, you have to have a script that makes temp images of your images..

I think maybe you can improve a script that is already out there..

http://www.gmtt.co.uk/v2/index.php?...occlick&Itemid=26&bid=3&limitstart=0&limit=10

that one is based on sql, but after looking at the code quickly, I saw some improvements that could be made..

I however think that it might be a valuable resource for you.

good luck!

 

[DRJ478]

You could move the images etc. outside of the web server's root folder. That way they are not accessible through URL.
However, you can write a PHP script that serves the binary data from that folder, which is fully accessible through the file system.
Also, have you thought of just using an .htaccess file that states require valid-user ?
You can set (depending on the configuration of the server) the environment variables with your own login mechanism.

 

[ingresman]

Dont pass passwords in the URL, it's not a good idea and XP SP2 will reject it

 

[ericbrunson]

A password specified in the URL doesn't actually get sent as part of the URL to the server. The browser has to parse the password out of the URL, then base64 it and put it in the AUTH header in order for the authentication to work. The

http://blah:blah@blah

part of the URL isn't sent to the server as part of the URL.

There's no reason for XP to reject the URL specified like that, just another great example of WinDoze "security".