Prev: Need to check pdf for xss
Next: erratic results from ftp_rawlist
From: Ali Asghar Toraby Parizy on 15 Aug 2010 13:45
all files (web pages, pictures, and exe files) and folders in a directory
should be protected against anonymous users.
I create an application with php and mysql for registered users. when a user
registers it's information will be saved in database and its username and
password will be added to .htpass file. so registered users can reach
protected area.
But browser prompts login dialog, when users want to access this folder. How
can I run login process with php.
Thanks


On Sat, Aug 14, 2010 at 4:23 PM, chris h <chris404(a)gmail.com> wrote:

> it sounds as if apache - or whatever your http server is - is not aware of
> your php script. All apache knows is that someone is trying to access a
> directory or file that is protected, it does not know that it should send
> that request to the php script for a login.
>
> What are the protected resources that you want a login for?
>
>
> On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy <
> aliasghar.toraby(a)gmail.com> wrote:
>
>> Hi
>> The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW
>> in login script then try to open the file in the protected directory. the
>> php file is not in the protected realm.
>>
>>
>> On Sat, Aug 14, 2010 at 3:26 AM, chris h <chris404(a)gmail.com> wrote:
>>
>>> Based off what your saying my guess is that the request is not hitting
>>> your php script.
>>>
>>> Is the php script in the protected directory? If so what is it's file
>>> name and what url are you hitting for the test?
>>>
>>>
>>> Chris.
>>>
>>>
>>> On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy <
>>> aliasghar.toraby(a)gmail.com> wrote:
>>>
>>>> Hi. I have a protected directory in my host. I have configured .htaccess
>>>> successfully and it works prefect.
>>>> Now I'm looking for a solution to login and logout by a php script.
>>>> In my site I have a login page. In that page I set 'PHP_AUTH_USER' and '
>>>> PHP_AUTH_PW'. but when I try to open protected directory, user
>>>> authentication dialog appears.
>>>> How can I do this? What is my error?
>>>>
>>>> --
>>>> Ali Asghar Torabi
>>>>
>>>
>>>
>>
>>
>> --
>> Ali Asghar Torabi
>>
>
>


--
Ali Asghar Torabi



--
Ali Asghar Torabi
From: Ashley Sheridan on 15 Aug 2010 14:05
On Sun, 2010-08-15 at 22:15 +0430, Ali Asghar Toraby Parizy wrote:

> all files (web pages, pictures, and exe files) and folders in a directory
> should be protected against anonymous users.
> I create an application with php and mysql for registered users. when a user
> registers it's information will be saved in database and its username and
> password will be added to .htpass file. so registered users can reach
> protected area.
> But browser prompts login dialog, when users want to access this folder. How
> can I run login process with php.
> Thanks
>
>
> On Sat, Aug 14, 2010 at 4:23 PM, chris h <chris404(a)gmail.com> wrote:
>
> > it sounds as if apache - or whatever your http server is - is not aware of
> > your php script. All apache knows is that someone is trying to access a
> > directory or file that is protected, it does not know that it should send
> > that request to the php script for a login.
> >
> > What are the protected resources that you want a login for?
> >
> >
> > On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy <
> > aliasghar.toraby(a)gmail.com> wrote:
> >
> >> Hi
> >> The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW
> >> in login script then try to open the file in the protected directory. the
> >> php file is not in the protected realm.
> >>
> >>
> >> On Sat, Aug 14, 2010 at 3:26 AM, chris h <chris404(a)gmail.com> wrote:
> >>
> >>> Based off what your saying my guess is that the request is not hitting
> >>> your php script.
> >>>
> >>> Is the php script in the protected directory? If so what is it's file
> >>> name and what url are you hitting for the test?
> >>>
> >>>
> >>> Chris.
> >>>
> >>>
> >>> On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy <
> >>> aliasghar.toraby(a)gmail.com> wrote:
> >>>
> >>>> Hi. I have a protected directory in my host. I have configured .htaccess
> >>>> successfully and it works prefect.
> >>>> Now I'm looking for a solution to login and logout by a php script.
> >>>> In my site I have a login page. In that page I set 'PHP_AUTH_USER' and '
> >>>> PHP_AUTH_PW'. but when I try to open protected directory, user
> >>>> authentication dialog appears.
> >>>> How can I do this? What is my error?
> >>>>
> >>>> --
> >>>> Ali Asghar Torabi
> >>>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Ali Asghar Torabi
> >>
> >
> >
>
>
> --
> Ali Asghar Torabi
>
>
>


The two login processes are separate from each other. The .htaccess
method is handled by Apache, completely apart from PHP. I believe it is
possible, but is unreliable because of the way different browser/server
combinations behave.

Your best bet is to store these files outside of web route, and access
them with a URL like this:

file.php?id=123456

your web route might be something like /var/www/html/yoursite
(where /var/www/html is the web root)
your documents and secure files could be at /var/www/files/yoursite

In your DB, the file id 123456 maps to a specific file on the hosting.
This file isn't accessible from the web normally, so PHP will have to
use something like fpassthru() to open dump the contents to the browser
(obviously sending the correct header() mime type, etc). The advantage
to this is you can use your PHP login system, and check each file
download attempt against the session to ensure they are a valid user who
should be able to access this file. Also, the obfuscation of the
filename means that someone is less likely to guess at a filename. The
id itself can be anything from a hash of the filename to an auto
increment id in the DB.

Thanks,
Ash
http://www.ashleysheridan.co.uk


From: kranthi on 15 Aug 2010 23:57
i would configure apache to let php interpreter handle all kinds of
extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler
)

even then u'll have go through all the steps pointed out by Ash.
the only advantage of this method is more user friendly URL
From: Ashley Sheridan on 16 Aug 2010 04:13
On Mon, 2010-08-16 at 09:27 +0530, kranthi wrote:

> i would configure apache to let php interpreter handle all kinds of
> extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler
> )
>
> even then u'll have go through all the steps pointed out by Ash.
> the only advantage of this method is more user friendly URL
>


That would be very slow and prone to failure. What happens when Apache
comes across a binary file that contains <?php inside? It seems
unlikely, but I've found the more unlikely something should be, the more
often it occurs at just the wrong moment! For example, a document that
talks about PHP, or an image that randomly contains those characters as
part of the bitmap data?

Also, the idea of tying an ID into the DB does still allow you to use
friendly URLs, but is the ability to guess filenames really something
you want in a security system? It would be more prone to brute force
attacking I think.

Thanks,
Ash
http://www.ashleysheridan.co.uk


 | 
Pages: 1
Prev: Need to check pdf for xss
Next: erratic results from ftp_rawlist