Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username
assword@www.domain.com/restricted_directory’.
The IE patch now restricts this.
When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form.
I’m very close to getting this working, but I don’t understand how the
$auth = false or true get’s passed.
Could it be the <LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change?
Or is something else missing from my .htaccess file?
Do I need something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?
I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
************************************************
My auth.php file looks like this ….
************************************************
<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?>
************************************************
My .htaccess file looks like this….
************************************************
AuthType Basic
AuthName "Making Doors Open"
AuthGroupFile /dev/null/
php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php"
<LIMIT GET POST PUT>
require valid-user
</LIMIT>
************************************************
Linear Mode
