PHP Login with htaccess

@actionscripterJan 21.2008

Hello,

I am creating a login page that uses PHP to authenticate off http_referrer or basically uses my current htaccess file to authenticate.

Here is the code I am using so far. It seems to work great but there is one drawback. It pops up the same grey box for username and password.

How can I create an html form that references this php script? So that someone could place their username and password into an html form and it would execute this script without the popup?

(ps. I know I can use the session to compare my username/password to an SQL database or even flat file but I’m trying to accomplish something different)

Thanks for looking into this post. any insight is appreciated.

[code] <?php /** * Authenticate a user against a password file generated by Apache’s httpasswd * using PHP rather than Apache itself. * * @param string $user The submitted user name * @param string $pass The submitted password * @param string $pass_file=’.htpasswd’ The system path to the htpasswd file * @param string $crypt_type=’DES’ The crypt type used to create the htpasswd file * @return bool */ function http_authenticate($user,$pass,$pass_file=’.htpasswd’,$crypt_type=’DES’){ // the stuff below is just an example useage that restricts // user names and passwords to only alpha-numeric characters. if(!ctype_alnum($user)){ // invalid user name return FALSE; }

if(!ctype_alnum($pass)){ // invalid password return FALSE; }

// get the information from the htpasswd file if(file_exists($pass_file) && is_readable($pass_file)){ // the password file exists, open it if($fp=fopen($pass_file,’r’)){ while($line=fgets($fp)){ // for each line in the file remove line endings $line=preg_replace(‘`[rn]$`’,”,$line); list($fuser,$fpass)=explode(‘:’,$line); if($fuser==$user){ // the submitted user name matches this line // in the file switch($crypt_type){ case ‘DES’: // the salt is the first 2 // characters for DES encryption $salt=substr($fpass,0,2);

// use the salt to encode the // submitted password $test_pw=crypt($pass,$salt); break; case ‘PLAIN’: $test_pw=$pass; break; case ‘SHA’: case ‘MD5’: default: // unsupported crypt type fclose($fp); return FALSE; } if($test_pw == $fpass){ // authentication success. fclose($fp); return TRUE; }else{ return FALSE; } } } fclose($fp); }else{ // could not open the password file return FALSE; } }else{ return FALSE; } } ?>

[/code]

to post a comment

PHP

7 Comments(s) _↴

@skyrider01Jan 21.2008 — #Apache will send a 401 back to the browser, and the browser then shows the "grey box" to the client, so not sure you can do what you want directly.

If you turn off the authentication in the .htaccess file and use your own routine instead, that might work.

So turn off authentication in .htaccess, use a cookie or similar to know if the user is authenticated, and use your routine to authenticate the user when they try to login.

@actionscripterauthorJan 21.2008 — #Like creating a session and then authenticating against a file? I want to basically read/write to the .htaccess file with PHP for a simple login. I suppose not the most secure but workable.

@skyrider01Jan 21.2008 — #I think I understand what you want to do, but if you are using .htaccess and using eg basic authentication then apache will send back a 401 http error code which is similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided. And the browser then will show the grey box.

I guess you could try and create the security token yourself, maybe by using "ajax" and then process the 401 http error code and then passing in the right credentials. I have done this before, but not in a browser.

This explains how basic authentication works Basic authentication

@actionscripterauthorJan 23.2008 — #Thanks for the replies. Making a little progress on this end. I have this php script which I am calling the variables for username and password from an html form.

After I enter the username and password it still pops up the 'htaccess grey box'. How can I link this php script to a form that won't pop up the grey box?

<i>
 </i>
 function authenticate(){
 header("WWW-Authenticate: Basic realm="Members"");
 header('HTTP/1.0 401 Unauthorized');
 echo "Please enter a valid user name and password.";
 exit;
 }
 
 for(; 1; authenticate()){
 if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) continue;
 $user = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
 if(!($authUserLine = 
 array_shift(preg_grep("/$user:.*$/", 
 file(".htpasswd"))))) continue;
 preg_match("/$user:((..).*)$/", $authUserLine, $matches);
 $authPW = $matches[1];
 $salt = $matches[2];
 $submittedPW = crypt($HTTP_SERVER_VARS['PHP_AUTH_PW'], $salt);
 if($submittedPW != $authPW) continue;
 break;
 }

@skyrider01Jan 24.2008 — #The problem still is that the browser will see the 401, and then display the login box, to try and by pass that you would need to call the login page from ajax, and then when you get the http error code of 401, then you do something with that information.

if you use firefox you can use an extension called "live http headers" then you will see what happens.

So you basically have to write your own authentication process, follow the basic authentication specs, if that is what you use in your .htaccess

this explains a little more Access Control

@DasherFeb 06.2008 — #It you have a PHP script to log in with, can't you make it so .htaccess sees that you are logged in so no 401 occurs?

What people want is a more elegant way to bypass the default login that direct .htaccess provides via the server.

It seems to me .htaccess is needed if you have files that you don't want anyone including search bots to find. So the directory needs the basic protection afforded by .htaccess.

I would think a simple script should be available somewhere to allow one to elegantly login to a site to have access to the files that have basic access security.

@NogDogFeb 07.2008 — #Just in case you haven't seen it yet, have you looked at the [url=http://www.php.net/manual/en/features.http-auth.php]HTTP Authentication[/url] section of the PHP manual?

Also in #PHP _↴

Which Php Functions Checks For Dynamic Links ?how to find the number of occurrances of a string?[RESOLVED] Passing variables

Success!

Help @actionscripter spread the word by sharing this article on Twitter...

Tweet This

PHP Login with htaccess

7 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

PHP Login with htaccess

7 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

7 Comments(s) _↴

Also in #PHP _↴