[users@httpd] HTTP AUTH

[Christopher Deeley <ch...@gmail.com>]

Can anyone tell me, is there a way of doing the following or any alternate
solutions.

I would like to set up a user folder for each user on my site and the only
method I know to stop anyone but the user accessing that folder is to use
htaccess to require the valid user. I have PHP running as a module on
Apache. Is there a way to pass username & password from a form to a php
script which will set the values of $_SERVER['HTTP_AUTH_USER'] and
$_SERVER['HTTP_AUTH_PW'] ? I currently have a page which does the usual
pop-up login box thingy so these values are set automatic but I would like
to get rid of it.

Also if there a way to logout?

I used to use sessions to validate the user and restrict access to pages but
I found people could still access pictures. Is there a way to use a form
based login (like I did before with sessions) and still restrict access to a
folder by only allowing one user in?

Re: [users@httpd] HTTP AUTH

[Christopher Deeley <ch...@gmail.com>]

Hi

Theres no way of passing info from a form to set the variables 'HTTP_AUTH_USER'
ad HTTP_AUTH_USER but I have found a way around it but never put it into
practice yet.
You can still use your existing form to login and create a session variable
as their user name eg $_SESSION['username'] = 'user1'

Then, lets say you have a folder www.example.com/user1 which you want to
restrict access to 'user1' only, in the folder user1, create a .htaccess
file with the following info

AddHandler verifyuser .gif
AddHandler verify .jpg
// add extra lines for other file types etc
Action verify /login/verify.user1.php
//this is relative to the root of your website ie
www.yousite.com/login/verify.user1.php

Then each time the user accesses a .jpg, .gif file etc, it will first go
through the verify.user1.php script.
verify.user1.php needs to be written as follows


<?php
if ($_SESSION['username'] == "user1"){
$file = $_SERVER["PATH_TRANSLATED"];
readfile($file);
}else{
echo 'invalid username'
}

?>

Basically this will display the original file they were trying to access if
there username is user1 otherwise it will display the message *invalid
username*.

For other user folders eg www.yoursite.com/user2 , you will have to again
add a htaccess file in the folder and use the *add handler *as above to link
to a script like verify.user2.php

Hope this helps

Regards, Chris.

Re: [users@httpd] HTTP AUTH

[Scott Gifford <sg...@suspectclass.com>]

Christopher Deeley <ch...@gmail.com> writes:

> I would like to set up a user folder for each user on my site and
> the only method I know to stop anyone but the user accessing that
> folder is to use htaccess to require the valid user. I have PHP
> running as a module on Apache.  Is there a way to pass username &
> password from a form to a php script which will set the values of
> $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] ? I
> currently have a page which does the usual pop-up login box thingy
> so these values are set automatic but I would like to get rid of it.

No, you have to use cookies if you want a Web form instead of the
standard popup.  You can use mod_perl and Apache::AuthCookie to do
this without writing much code.

> Also if there a way to logout?

It's client-specific; Firefox provides a way to logout, IE does not.

> I used to use sessions to validate the user and restrict access to
> pages but I found people could still access pictures. Is there a way
> to use a form based login (like I did before with sessions) and
> still restrict access to a folder by only allowing one user in?

I would also look into using Apache::AuthCookie to do this.

----Scott.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org