Applying .htaccess folder username/password with PHP

Asked 12/6, 2011 at 9:52 Answered 12/6, 2011 at 11:33

php .htaccess password-protection cpanel

I’m building a PHP/MySQL web application. Users log in and various session variables are set.

There’s a folder on the webserver where users can upload files to (any kind – images, pdf, .doc etc). I’d like to protect this folder to prevent people who are not logged in typing in the url and getting to these files. Browsing of files in this folder is disallowed.

I can apply a password using my cpanel, which works nicely. However it means that users have to log in to the application, then the first time they navigate to a file in this protected folder, they’re prompted for the username/password for the protected folder. I’d like to make it so they don’t have to type in the username/password for the protected folder.

Is there any way when a user logs in, setting their session variables, to at that same time – using PHP – also set the username/password for the protected folder – so they’re not prompted? Thank you. Iain.

Pelham answered 12/6, 2011 at 9:52 Comment(0)

The way I approached this was that the protected folder they think they access is NOT the actual protected folder, what happens is you interface with it only via PHP, and if they have logged in (which you can do a fake .htaccess by sending the appropriate web authetification codes see http://php.net/manual/en/features.http-auth.php)

From there, if they "log in" you can tell, and they can be shown the codes, if not, you can say "You arent logged in, if you wish to access this area, you will need to login".

its simple but effective.

do remember of course, that sensible people know if you do http://user:[email protected]/files it auto sends web auth info.

Equal answered 12/6, 2011 at 9:57 Comment(2)

Thanks for the reply, but I’m not quite following. I had a look http auth page link. Is it possible to set the values of $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW'] as a page loads, so the user won’t be prompted for the protected folders user/pw? I didn't know you could add the user/pw to the url - the warning on the popup about them being sent as plain text makes sense now! I thought that could have been the answer, adding the user/pw to the urls clicked from the php pages - however it doesn't work in IE. – Pelham 12/6, 2011 at 12:12

Depends how you check the username/password I guess, but, it should work. It certainly should block the username/password prompt. Same works with ftp through IE too. – Equal 12/6, 2011 at 18:33

I don't think you can get at PHP session variables from the .htaccess level.

What you can do is to rewrite any accesses to a PHP script that checks for a logged-in user and either returns the file or redirects to a 'not logged in' page.

Revkah answered 12/6, 2011 at 9:59 Comment(0)

I've did this years ago, but it worked very well with cpanel: I programmatically called the directory protection settings page of cpanel and added the username/password there. So cpanel took care of the server administration. However I have no clue if that still works.

There is a library available that you can use to create the .htaccess and the .htpasswd files as well. I have never used it so I can not say if it works: Class: PHP Functions Class

I sort of remember some other library as well that does only the .htaccess and .htpasswd stuff, so you might find something else with searching the internet.

Sennit answered 12/6, 2011 at 11:33 Comment(0)

Recommended topics

Hot tags