.htaccess PHP - Hobe it make sence.

[Joe-Montana]

Hey All

i would like to use .htaccess to protect a folder, i know how to do it with the, "htpasspwd" and put the .htaccess in the folder.

Is there any way that i can get htaccess to include a php file to check user and password. instead of using the htpasspwd file


##### if u know what i mean ################

AuthName "restricted stuff"
AuthType Basic
AuthUserFile userfile.php

require valid-user

####################

########## userfile.php #######
<?php

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();
session_start();

require('../../siteuser/config.php');
require('../../siteuser/functions.php');

if (allow_access(user) != "yes") {
{
include ('../../siteuser/no_access.html');
exit;
}
?>

Hobe it make sence.

Best Regard

Joe Montana

[falko]

No that doesn't work. Have a look here: http://httpd.apache.org/docs/1.3/mod/mod_auth.html

It reads:

Quote:

The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.

Each line of the user file contains a username followed by a colon, followed by the crypt() encrypted password. The behavior of multiple occurrences of the same user is undefined.

But you can do authentication with PHP, without .htaccess. It works like this:

PHP Code:

<?
    // checks if you have entered a username and a password
    if (!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_PW'])
    {
        // if empty, send header causing dialog box to appear
        header('WWW-Authenticate: Basic realm="Admin"');
        header('HTTP/1.0 401 Unauthorized');
        echo "Authorization Required.";
        exit;
    }
    else
    {
        // check if the username and password are correct
        if (($_SERVER['PHP_AUTH_USER'] == "demo") && ($_SERVER['PHP_AUTH_PW'] == "demo"))
        {
            // dispay happy message and admin stuff
            echo "Welcome!";
        }
        else
        {
            // display angry message for invalid user
            die("Oops! That didn't work...");
        }
    }
?>

[Joe-Montana]

Thaks again Falko,

Ok it´s maby me that eksplain it a bad way, the php script i have inlcude works fine as long as i include it on a site that i want to protect.


########## www.mysite.dk/user/index.php #######
<?php

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();
session_start();

require('../../siteuser/config.php');
require('../../siteuser/functions.php');

if (allow_access(user) != "yes") {
{
include ('../../siteuser/no_access.html');
exit;
}
?>
<HTML>
<HEAD>
<TITLE>mysite</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1251">

</HEAD>
<BODY BGCOLOR=#999999

<iframe src="/user/main.php" frameborder="0" name="main" scrolling="no" height="1000" width="902"></iframe>

</BODY>
</HTML>
################################

My php script checks in my sql database if user is loocked in.

connect to www.mysite.dk you will meet a normal form for user and password, if user is ok it will redirect to www.mysite.dk/user/index.php everything is god and work.


Now ex. if you connect direct to www.mysite.dk/user/index.php it meet the php script i have include, and if you not are loocked ind it will send you to www.mysite.dk. Everything is fine so fare.

The problem is that you can still get access to www.mysite.dk/user/audio.mp3

I would like to put a file in that folder (www.mysite.dk/user/) that no mater what, the server will read that file first and in that file i will include my php script.

Hobe You understand, and sorry about my spelling

/Joe

[falko]

You could write a script that is run by a con job and reads your users and their passwords from the database and puts them into a plain text file which you can include in your .htaccess file (see http://httpd.apache.org/docs/1.3/mod/mod_auth.html ).