html/php form for .htaccess validation

Can anyone help?

I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik

Can anyone help?

That’s great! I hope this thread helps you. I believe that the code I added to this thread is 90% complete. If you figure out the rest that would be incredible..

I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik

This link may help.
http://www.php.net/manual/en/features.http-auth.php

I'm currently working on the same problem.. I'll let you know if I have any luck with it!

Tarik

I've had a look through your code and perhaps I am overlooking something but i am slightly confused exactly what you are trying to achieve...

You mention that you used to login using username:password@domain.com, using htaccess authentication and you say that your goal is to login through your html form. From this I would presume that you wanted to continue using the basic httaccess authentication, whilst logging in through the form rather that the popup window (which is what I am attempting myself).

Your code suggests that you are not using htaccess authentication any more - you are writing your own authentication which checks against a custom database file, which is fine, but I don't understand why you need to specify AuthType Basic, or anything within the <LIMIT GET PUT> section in the htaccess file as it is no longer needed.

Rather than needing something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file, it looks to me like all you need is to save auth=true in your Session...

e.g, when you establish that the username / password combination is valid then do this...

$_SESSION = true;

This variable will now be accessible to you as you navigate around the site.

Whenever a new page is loaded, test whether the user is authenticated by using...

if ( $_SESSION == true )
{ //Display HTML Content }

Is this what you are trying to achieve?

Tarik

Removing AuthTypeBasic and <LIMIT GET PUT> from my .htaccess file makes sense.

I can replace $auth = true; with $_SESSION = true; and $auth = false; with $_SESSION[‘auth’] = false;.

Do you think that I still need
setcookie('username',$PHP_AUTH_USER,time()+36000);
setcookie('password',$PHP_AUTH_PW,time()+36000);

The part I’m having trouble understanding is how to bridge the gap from my auth.php file to having access.
My HTML forms action point to a file in my restricted directory. When it tries to access that file the .htaccess file directs the username and password to the auth.php file which validates against my username/password file. If it’s valid => “$_SESSION[‘auth’] = true;.

Were would I add this?
if ( $_SESSION == true )
{ www.domain.com/path/to/restricted/field.html }

I added it to my .htaccess file and when I logged in got the following error => Error 405 Method Not Allowed.

Any ideas? You mentioned that your trying to get this working. Have you been able to? If not what road blocks have you run into?

I ma having the same problem. Did u come up with a solution ???

I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.

I ma having the same problem. Did u come up with a solution ???

I read that its impossible to do this.
I have a bunch of cgi scripts with .htacess. I need to
give access to these scripts only to users who logged in with
same usr/pswd as that in htpasswd file.

I was wondering if anyone had a solution to this problem. I am in desperate need of code to create a log-in form with a .htaccess file.

I would very much appreciate any help.

Thanks,

DW5

Is the problem how to get let .htaccess know that the user is authorized and set this in php?

I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...

Is the problem how to get let .htaccess know that the user is authorized and set this in php?

I've never used .htaccess for authentication before so I wouldnt know but I can suggest that you remove .htaccess altogether, and use just php if you are deperate. You can still do the exact same thing, read the user and pass from the password file, but have authentication rely on php alone. .. if you're desperate...

See the issue I am having is this. I have used php / mySQL login authentication to secure all of the php pages in the members area of a site. The problem I have is what if there are html files or pdf files in the members folder that I dont want people to have access to?

For example, my members folder is /public_html/members/ and I have a documents folder in there where I store pdf files for members only at /public_html/members/documents/. If I only use php for authentication (ie user/pass from mysql database) then someone can browse directly to one of the pdf files and view it without a password (ie www.domainname.com/members/documents/file1.php). The only way I know of to prevent this is with htaccess file. I need to maintain the php login which integrates with the mySQL table since the members area is customized per member?

Can anyone give me an idea as to what I need to do???

Thank you.

Keith G

See the issue I am having is this. I have used php / mySQL login authentication to secure all of the php pages in the members area of a site. The problem I have is what if there are html files or pdf files in the members folder that I dont want people to have access to?

For example, my members folder is /public_html/members/ and I have a documents folder in there where I store pdf files for members only at /public_html/members/documents/. If I only use php for authentication (ie user/pass from mysql database) then someone can browse directly to one of the pdf files and view it without a password (ie www.domainname.com/members/documents/file1.php). The only way I know of to prevent this is with htaccess file. I need to maintain the php login which integrates with the mySQL table since the members area is customized per member?

Can anyone give me an idea as to what I need to do???

Thank you.

Keith G

Hi Keith;

.htaccess does make it a bit complex. It would be simpler if you just place all the member files under the web root. (below public_html in this case).
This way it cannot be accessed directly from the web.

Then you can have a single php file that:

1) authenticates the users session.
2) retrieves the requested file from below the web root.
3) appends the correct Content-Type HTTP Header for file download or the file type being requested.
4) Dump the file to HTTP (echo $filecontents) so the browser will download the file.

This method can even allow resuming of file downloads etc.

It does put an extra load on the PHP server as file contents have to be read to php before being sent to HTTP...

You can get example code in the PHP manual under the funciton: header
http://www.php.net/header

Heres an example:

<?php
$mm_type="application/octet-stream";

header("Cache-Control: public, must-revalidate");
header("Pragma: hack");
header("Content-Type: " . $mm_type);
header("Content-Length: " .(string)(filesize($url)) );
header('Content-Disposition: attachment; filename="'.basename($url).'"');
header("Content-Transfer-Encoding: binary\n");
                  
$fp = fopen($url, 'rb');
$buffer = fread($fp, filesize($url));
fclose ($fp);
                  
print $buffer;
?>

You can insert this into a page, after you have validated:
1) The user has a session (is logged in)
2) The file exists and user has access to download it. (very important)

I am also having a problem very similar, i want to create a login excatly like the way .htaccess works but without the Annoying Dialogue Pop-up(i hate them) .. Can anyone help me?

I am also having a problem very similar, i want to create a login excatly like the way .htaccess works but without the Annoying Dialogue Pop-up(i hate them) .. Can anyone help me?

I am coping with the same problem. Anyone know a solution? Maybe including login information in the URL sent from my VB6 browser. Then avoid the pesky "confirm" message box?

Thanks,
Kirk

Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username: password@www.domain.com/restricted_directory’.
The IE patch now restricts this. ...

Here's a solution to getting around the IE problem with their disabling using the browser address bar to login via HTTP Basic Authentication.

<script>

// url of Basic Authentication page
var auth_url = 'protected/index.php';
// url user wants to access
var private_url = 'protected/files/file.zip';

function getPrivatePage() {

	var user = document.getElementById('user').value;
	var pw = document.getElementById('pw').value;

	// create an execute xmlHTTPRequest
	var xmlhttp = false;
	if (window.XMLHttpRequest) {
		xmlhttp = (new XMLHttpRequest());
    } else if (window.ActiveXObject) {
		// find latest XMLHTTP implementation on IE
		var versions = [
		"Msxml2.XMLHTTP.7.0", 
		"Msxml2.XMLHTTP.6.0", 
		"Msxml2.XMLHTTP.5.0", 
		"Msxml2.XMLHTTP.4.0", 
		"MSXML2.XMLHTTP.3.0", 
		"MSXML2.XMLHTTP",
		"Microsoft.XMLHTTP"];
		var n = versions.length;
		for (var i = 0; i <  n; i++) {
			try {
				if (xhr = (new ActiveXObject(versions[i]))) {
					break;
				}
			} catch (e) { /* try next */ }
		}
	}
	if (!xmlhttp) {
		location.href = auth_url;
		return false;
	}
	xmlhttp.onreadystatechange = function() { handleGetPrivatePageResponse(xmlhttp); };
	xmlhttp.open('GET', auth_url, true, user, pw);
	xmlhttp.send(null);
}

function handleGetPrivatePageResponse(xmlhttp) {
	if (xmlhttp.readyState == 4) {
		if (xmlhttp.status == 200) {
			alert('Log in successful.');
			location.href = private_url;
		} else if (xmlhttp.status == 401) {
			alert('The Username and password are incorrect. Please try again.');
		} else {
			alert('An unknown Error Occurred. HTTP Status: '+xmlhttp.status);
		}
	}
}

</script>

<fieldset>
<legend>Enter A Username and Password to Access the Private Area</legend>
<input type="text" name="user" id="user" />
<input type="text" name="pw" id="pw" />
<input type="button" onclick="getPrivatePage();" value="Enter" />
</fieldset>
<fieldset>

What is does is circumvent the browser address bar by making a xmlHTTPRequest call to a page protected by Basic Auth.

The xmlHTTPRequest will pass the username and password of the user to this page, and if authenticated successfully the page will respond with a HTTP status of "200".
If the authentication fails then the response will be "401".
The xmlHTTPRequest reads the HTTP status responses and keeps asking for a username and password until it gets a "200" response from the page.

Once authenticated, the browser will cache the username and password. (This is done automatically by browsers when implementing Basic Auth) This allows you to redirect to the actual page the user wants to visit.

This works no matter who you implement Basic Auth on the server, via php, via .htaccess etc.

The only problem I have seen is that Firefox will open the default Prompt for Authentication if the authentication by xmlHTTPRequest fails. This does not happen with IE. This may not be a firefox bug, just their implementation.

The work around for this would be to implement HTTP Authentication with PHP and response with a HTTP Response status of "403" or something similar instead of "401" which triggers the login prompt/box in firefox.

Could you explain if this script can also be used to make a webbased .htaccess login to directories where the username is the protected directory to which the user is pointed at login?

Eg. username = apple
with pasword will go to host.com/apple (where apple is a .htaccess protected directory).

If so, could you explain what to do with:

// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';

And give some hints about ho to install the script. Thanks a lot in advance!

Could you explain if this script can also be used to make a webbased .htaccess login to directories where the username is the protected directory to which the user is pointed at login?

Eg. username = apple
with pasword will go to host.com/apple (where apple is a .htaccess protected directory).

If so, could you explain what to do with:

// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';

And give some hints about ho to install the script. Thanks a lot in advance!

This is all you need to change:

// url of Basic Authentication page
var auth_url = '.....';
// url user wants to access
var private_url = '.....';

auth_url can be either a PHP implementation of BASIC Auth (http://php.net/features.http-auth). Or an actual protected page.

private_url is the page you want to redirect to when the user is logged in successfully. (a private page).

If you don't have a PHP script implementing BASIC Auth, then both URLs are the same...

In your case it would be:

// url of Basic Authentication page
var auth_url = 'http://host.com/apple';
// url user wants to access
var private_url = 'http://host.com/apple';

You just place the whole script (JS code and HTML form) inside a non-protected page on the same Domain.

Different Domains:
If you want to go past the same domain restriction in XMLHTTPRequest then you'll have to use a PHP HTTP proxy. The PHP proxy should just take the HTTP Request and mirror the same request to the remote domain, then receive the HTTP Response from the remote domain and mirror it back to the client..

Thanks a lot for that!

But what to do when the private_url directory is not clear yet (because it is based on what the user will type in the form as it's username).

Can the directory name be a variable based on what the user inputs in the form as it's username?

Thanks a lot for that!

But what to do when the private_url directory is not clear yet (because it is based on what the user will type in the form as it's username).

Can the directory name be a variable based on what the user inputs in the form as it's username?

Sure.

Here's the first part of the code.

// url of Basic Authentication page
var auth_url = 'protected/index.php';
// url user wants to access
var private_url = 'protected/files/file.zip';

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

The function getPrivatePage() is executed when a user clicks on the submit button. (it would actually be better to attach this to the form submit handler).

What you can do is check if the username is set when the user has clicked the button, if it is, then append the username to you your private url.

eg:

// url of Basic Authentication page
var auth_url = 'protected/index.php';
// url user wants to access
var private_url = 'protected/files/file.zip';

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

if (user.length < 0) {
private_url = 'http://example.com/'+encodeURIComponent(user)+'/';
}

If you want to support older browsers (IE 5.5 I believe support xmlHTTPRequest but not encodeURIComponent()) then you'll have to first check if "encodeURIComponent()" is supported.

eg:

/**
* the escape() method in Javascript is deprecated
*/
function encode( uri ) {
    if (typeof encodeURIComponent == 'function') {
        return encodeURIComponent(uri);
    } else if (typeof escape == 'function') {
        return escape(uri);
    } else return uri;
}

Then in when you use uri's do:

if (user.length < 0) {
private_url = 'http://example.com/'+encode(user)+'/';
}

for example.

There is also some values passed via HTTP in the xmlHTTPRequest that are not urlencoded. You may want to urlencode them.

Since auth_url and private_url are the same in my case, should I include

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

if (user.length < 0) {
private_url = 'http://example.com/'+encodeURIComponent(user)+'/';

Also for auth_url?

Furthermore, when I tested the script it seems to make a difference
if I use http://host.com or http://www.host.com.

Is is possible to make both work?

Thanks again in advance!

Since auth_url and private_url are the same in my case, should I include

function getPrivatePage() {

var user = document.getElementById('user').value;
var pw = document.getElementById('pw').value;

if (user.length < 0) {
private_url = 'http://example.com/'+encodeURIComponent(user)+'/';

Also for auth_url?

Furthermore, when I tested the script it seems to make a difference
if I use http://host.com or http://www.host.com.

Is is possible to make both work?

Thanks again in advance!

I believe only the specific user can enter their subdomain? If yes, change the auth_url also. I forgot that.

The browser considers www.example.com and example.com to be two separate domains. Since XMLHTTPRequest (XHR) is restricted to the same domain as the document (Same Domain Policy), you can't make a request to example.com from www.example.com.

In order to make sure your XHR Request is made to the same domain, you can use a function like:

/**
* Replaces a Server Domain in a URL such as http://www.example.com/page.php to the correct Browser domain
* This make sure an XMLHTTPRequest is sent to the same domain
*/
function sameDomain(serverUrl) {
	var browserUrl = window.location.href;
	var wserver = serverUrl.match(/^http:\/\/www\./) ? true : false;
	var wbrowser = browserUrl.match(/^http:\/\/www\./) ? true : false;
	if (wserver != wbrowser) {
		if (wbrowser) {
			serverUrl = serverUrl.replace(/^http:\/\//, 'http://www.');
		} else {
			serverUrl = serverUrl.replace(/^http:\/\/www\./, 'http://');
		}
	}
	return serverUrl;
}

Run both private_url and auth_url through it like:

private_url = sameDomain(private_url);
auth_url = sameDomain(auth_url);

Hi there.. sorry to be a pest, but I just tried dropping this script on my own server and testing, and it's not finding my Msxml2 version ( if(!xmlhttp) is failing).

My browser is IE 6.0.2900.

Any suggestions? Is this 100% compatible?

I Would like to thank you for this I have been searching high and low for an implementation like this - although I have to make some changes this is what I have been looking for - I think I love you - JK

THANKS!!

The work around for this would be to implement HTTP Authentication with PHP and response with a HTTP Response status of "403" or something similar instead of "401" which triggers the login prompt/box in firefox.

And how would I go about this?

It seems IE is giving the same response to the error now a days :)

And how would I go about this?

It seems IE is giving the same response to the error now a days :)

There is actually a typo in the original JS code I posted.

if (xhr = (new ActiveXObject(versions[i]))) {

should be:

if (xmlhttp = (new ActiveXObject(versions[i]))) {

is that the problem?

Are you testing in IE7 or IE6? Not sure if IE7 was out when this was posted.

IE7 - latest
Don't get me wrong the script works beautifully - the only problem is that if they get the password/username combo INcorrect - it pops up the dialog box - if they get it right there are no problems. . .

and really the pop up box coming up if they get it wrong is minimal - but it does - I made the change in the original script as you suggested but it didn't seem to make it react any differently. . .

Anyway - I was hoping you could lead me at least in the right direction on how to implement HTTP Authentication with PHP and responsd with a HTTP Response status of something other than401 - because you seem to indicate that would remove the problem entirely -

like I said I have been searching and searching for something like this (the entire script) and its been sitting here - so I appreciate it - everyone kept telling me it couldn't be done

IE7 - latest
Don't get me wrong the script works beautifully - the only problem is that if they get the password/username combo INcorrect - it pops up the dialog box - if they get it right there are no problems. . .

and really the pop up box coming up if they get it wrong is minimal - but it does - I made the change in the original script as you suggested but it didn't seem to make it react any differently. . .

Anyway - I was hoping you could lead me at least in the right direction on how to implement HTTP Authentication with PHP and responsd with a HTTP Response status of something other than401 - because you seem to indicate that would remove the problem entirely -

like I said I have been searching and searching for something like this (the entire script) and its been sitting here - so I appreciate it - everyone kept telling me it couldn't be done

I'm not sure if its the 401 response or the WWW-Authenticate header that triggers the dialog boxes in FF2.0 and IE7. You could test that out. I'd think it would be the header.

To implement HTTP Basic Auth in PHP see: http://www.php.net/features.http-auth

The example on that page:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

This forces the browser to prompt the HTTP Basic Auth dialog box.

Assuming the header header('WWW-Authenticate: Basic realm="My Realm"'); causes the browser to prompt for user/pass, what we want is to bypass sending this header:

header('WWW-Authenticate: Basic realm="My Realm"');

Because of this, we also have to handle the authentication on the server side. (normally your server does this).

So you'll want your PHP script to get the user and password from HTTP, and compare with the user and password in .htpasswd file.

So it would be something like:

// this will prompt our XHR to authenticate simply because we get a HTTP Response status other than 200
function XHR_Auth() {
    header('XHR-Authenticate: Basic realm="My Realm"'); // bogus http header response so we don't trigger Basic Auth
    header('HTTP/1.0 401 Unauthorized');
    echo 'This page needs authentication.';
    exit;
}

// authenticates a user against the .htpasswd file
function htpasswd_auth($username, $password, $htpasswd = '.htpasswd') {
    $lines = file($htpasswd);
    if ($lines) {
        foreach($lines as $line) {
            if ($line == $username.':'.md5($password)) return true;
        }
    }
    return false;  
}



if (isset($_SERVER['PHP_AUTH_USER'])) {
    // we actually have to do the authentication with PHP, since we sent an XHR-Authenticate header which is bogus, instead of WWW-Authenticate
    $valid = htpasswd_auth($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PASS']);
    if (!$valid) {
        XHR_Auth();
    }
} else {
    XHR_Auth();
}

// if it got this far, then alls good. Our server will send a HTTP status of 200 automatically
echo 'you are good to go';

I haven't tested this, so it's just a template to work with. I'm assuming that passwords in the .htpasswd file are md5 hashes.

The function: htpasswd_auth()

This take a username and password. It compares it with every line in the .htpasswd file and if it finds a match it returns true. Otherwise false.

The function: XHR_Auth()

This sends a 401 HTTP Response. You could change it to anything other than 200 if it still causes the login prompt in IE7.
It however sends a bogus header:

header('XHR-Authenticate: Basic realm="My Realm"');

This should bypass the login prompt, but let XHR (XMLHttpRequest) know that the authentication failed.

all right you have to forgive me on this one...

but where would I put this script? on the same age as the login box?

all right you have to forgive me on this one...

but where would I put this script? on the same age as the login box?

It doesn't matter where the PHP script is as long as it is able to read from the .htpasswd file.

In the example:

if (isset($_SERVER['PHP_AUTH_USER'])) {
    // we actually have to do the authentication with PHP, since we sent an XHR-Authenticate header which is bogus, instead of WWW-Authenticate
    $valid = htpasswd_auth($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PASS']);
    if (!$valid) {
        XHR_Auth();
    }
} else {
    XHR_Auth();
}

I'm assuming the .htpasswd file is in the same folder as the php script. However, you can modify the path to the .htpasswd file as you need.

$path_to_htpasswd = '/path/to/.htpasswd';

if (isset($_SERVER['PHP_AUTH_USER'])) {
    // we actually have to do the authentication with PHP, since we sent an XHR-Authenticate header which is bogus, instead of WWW-Authenticate
    $valid = htpasswd_auth($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PASS'], $path_to_htpasswd);
    if (!$valid) {
        XHR_Auth();
    }
} else {
    XHR_Auth();
}

If you want to test the script out without XHR, you could just do so from the URL by adding:

$_SERVER['PHP_AUTH_USER'] = $_GET['user'];
$_SERVER['PHP_AUTH_PASS'] = $_GET['pass'];

to the beginning of the PHP file. That way it takes the user and part from the query string portion of the URL instead of the HTTP Headers. Once it is working you can try it out with XHR.

btw: big typo in there. All instances of $_SERVER should be changed to $_SERVER.