[kvnband]

Hi, I'm looking for the following (It is just for teaching myself, so any comments are welcome)

Let's say I have a database of users and md5 passwords (mysql)

What is the best way to provide a SECURE login for this? I don't want to use sessions for this, as the pages under the SECURE directory are just plain HTML files or say file downloads. I'm thinking that using the .htaccess method is best...well, OK, I want to know: Is it possible to somehow....just like .htaccess protect the directory, but let it be dynamic? So that every time directory is requested, the usual Browser username/password box pops up, but instead of a flat file, it pulls info from database?

Or, even a script that will pull info from database, and store in the .htpasswd file?

Thanks for reading,
Kevin

[infinitylimit]

put an index.php in every directory that will check permission that are set in a database.

Say you have a table
userid, user, pass

and another table
userid,directory

then you could just check the userid and pass it via the querystring or post.

You can get around sessions by using the database and passing a hash like vbulletin does, this is sometimes a better method because the sessionhash is like a combination of ip and user agent which kind of blocks it down.

[kvnband]

Well, this is just a general member's area that I'm talking about here. Everyone gets access to the directory, as long as they are verified. Now, about placing an index.php to check if they are verified. I don't quite understand this, because what if they accessed

/memberarea/page27.html or something like that? I know that you know your stuff, that's why I'm asking these questions.

Thanks,
Kevin

[infinitylimit]

Oh okay I was thinking you wanted something different.

I did a cursory look on apache.org regarding it's use of the .htpasswd/.htaccess and it doesn't appear you can have the server look in the database.

However you can make a script to write these files on adding of user to your database. Just do a fopen() ect...

[kvnband]

Ah, but the question is: Database of users and md5 passwords already exists. Now, I need to write to a file called .htpasswd with user:UNIX style password

I was thinking this is the way I'd have to do it, but how do I convert from md5 to UNIX?

Actually, thinking as how md5 is not reversible, I guess that this probably isn't possible. So let's say that the passwords are in plain text. How would I convert from plain text to unix style passwords. (Yes, I've looked, can't find anything)

Please keep in mind that this is just a 'what if' scenario, and I'm open to anything.

Kevin

[infinitylimit]

Basically there is a few different encrpytiong methods and you would have to check with the httpd conf on apache to figure out how to do it in a pure php manner but to do is using exec you can use htpasswd

Usage:
htpasswd [-cmdps] passwordfile username
htpasswd -b[cmdps] passwordfile username password

htpasswd -n[mdps] username
htpasswd -nb[mdps] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-m Force MD5 encryption of the password.
-d Force CRYPT encryption of the password (default).
-p Do not encrypt the password (plaintext).
-s Force SHA encryption of the password.
-b Use the password from the command line rather than prompting for it.

This will let you do what you want I believe.