Simplest scheme for password protection?

Re: Simplest scheme for password protection?

<laredotornado@ zipmail.comwrot e in message
news:1161622661 .162877.145300@ e3g2000cwe.goog legroups.com...Dave,
if your server supports it you could use .htaccess files (apache style) to
control user access.
otherwise you can write a simple access control system and make it a
require_once in each PHP file.

Only the .htaccess will protect the html files on their own, It is often
useful to put pages and fragments that you don't want users to discover in
directories outside of the browsing path of the user, then get PHP to
include or require them as needed.

Cheers

Ron

Re: Simplest scheme for password protection?

Following on from laredotornado@z ipmail.com's message. . .The _simplest_ scheme may not be the /most suitable/.

Basics:
1 Don't store the password, but a hash of it
2 Check authority to run a page on every page

The simplest scheme operates as you expect with
1 Force a login (see 3)
2 Validate login and set 'OK' flag in $_SESSION
3 Check the 'OK' flag at the top of each page and redirect to login if a
problem

In case you didn't know. You can put restricted content outside the web
root. PHP will be able to access these but browsers won't. Feed that
content into your web pages somehow and you have complete control. To
do this you might use the include directive or fopen() etc.


/webroot/phppages
/webroot/imagebits
/webroot/css
/library/phots
/library/sound
/database/mysql

All the web root directories are visible to browsers none of the others
are




--
PETER FOX Not the same since the submarine business went under
peterfox@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

Re: Simplest scheme for password protection?

I have seen .htaccess files, but how can they be built so that they
read from a database of stored username and passwords?

Thanks, - Dave


Ron wrote:

Re: Simplest scheme for password protection?

laredotornado@z ipmail.com wrote:That's not that simple.
You could make .htpasswd files on the fly, but that's hardly preferable, as
you'll have to create, maintain and verify the file on every change in
users.

What I'd do:
create a .htaccess file:

RewriteCond %{REQUEST_FILEN AME} -f
RewriteCond %{REQUEST_FILEN AME} !^accesscontrol .php
RewriteRule ^(.*?)$ accesscontrol.p hp?file=$i&%{QU ERY_STRING} [NC,L]

And handle authentication in accesscontrol.p hp, and possibly include the
requested files, or give a Unauthorised header.
--
Grtz,

Rik Wasmus

Re: Simplest scheme for password protection?

Thanks, Rik. This is the solution I'll pursue. But I have one follow
up question. What does "accesscontrol. php" return upon successful
authentication and upon authentication failure?

- Dave


Rik wrote:

Re: Simplest scheme for password protection?

laredotornado@z ipmail.com wrote:If you're using a MySQL database, see mod_auth_mysql (available on
sourceforge.net ).


--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: Simplest scheme for password protection?

laredotornado@z ipmail.com wrote:
$logged_in = your_own_code() ;
if(!$not_logged _in){
header('HTTP/1.0 401 Unauthorized');
exit;
}
$path = parse_url($_GET['file'],PHP_URL_PATH);
$file = dirname(__FILE_ _).'/'.$fake_url['path'];
if(!is_file($fi le){
header("HTTP/1.0 404 Not Found");
exit;
}
$ext = pathinfo($file, PATHINFO_EXTENS ION);
if(strcasecmp($ ext,'php') || strcasecmp($ext ,'html'){
include($file);
exit;
}
$ext_mime = array(
'jpg' ='image/jpeg',
'pdf' ='application/pdf',
etc...);
header('Content-type: '.$ext_mime[$ext]);
readfile($file) ;

--
Rik Wasmus