.htaccess-style Login System And Php

[Amezis 0]

I am trying to make a login system that looks and works like .htaccess using sessions, with a PHP script that detects the username used.

Let's say I log on with the username "Amezis" and correct password. Then I want a PHP (or any other kind of script) to create a cookie or session which stores the user name, so it could be possible to store it in a variable as long as the user is logged in, and so it can be printed when needed.

Basically, this is what I want the script to do:

/* This file can only be executed after logging in with the htaccess-style login screen *//* Then, detect the used username, so it can be stored in a variable using a cookie or session, and that way, it can be printed on this page, or on another restricted user page as long as the user has logged in with the htaccess-screen and the session is valid *//* Content */

[rvalkass 5]

When you say an .htaccess-style login, do you mean you want a popup login box, or you want usernames and passwords stored in a text file? The PHP code for reading a text file and reading a database is very different and requires different logic. A popup login box would just require some JS, or if it doesn't need to popup then a simple HTML form would suffice.

[Amezis 0]

I was thinking about a popup login box, preferably made with .htaccess. I want the PHP script to simply detect what the entered information is (username, password).

[jlhaslip 4]

java or javascript would be the wise way to do the pop-up, yes?

[Amezis 0]

No, I want something like the cPanel login screen, which can be made using a .htaccess file. I do not have problems using .htaccess, but I want PHP to detect the submitted info, which is in this case the username and password.A javascript login would be plain stupid and not secure at all, and it's not possible to make the .htaccess login box with javascript, and I don't see why I would use java for it.If someone still don't understand my problem, then I'll try to explain it again:I have a .htaccess file pointing to a password file outside the public directory with 4 usernames and passwords, which protects a specific directory. When the user submits the correct username and password, PHP will detect the username used for the login so it can be either stored in a cookie or saved as a session so it can be possible to echo the user name later.

[jlhaslip 4]

Exactly.Use javascript to pop-up the box containing the php script.

[shadowx 0]

I understand your problem, but as said javascript is the best way to go . javascript will make the popup box and it will look identical to that of the .htaccess method then the values of username and password will be stored in GET or POST global variables so that the php page that comes next will take those values and compare them to the ones in the file, if correct you get in, if not you get redirected. the easiest way in my opinion would be to use a database or to include the correct usernames and passwords list in the php file. it will be safer i think and easier to work with

[michaelper22 0]

I understand what the guy wants, and I know there is a way to do it. It does not involve JS. When you make a CGI request, there are two variables that are included in the array of environment variable. I do not know the names of those variables offhand, but some research will bring results. The variables contain the username and the passowrd, most probably Base64 encoded.

Edited October 9, 2006 by michaelper22 (see edit history)

[Amezis 0]

Well, I want to do this to secure folders and files that cannot be loaded by regular visitors. I'm pretty sure that there is no good way to secure images and .exe files using PHP, that's why I'm using .htaccess for it. Heck, I will have to make two login systems: One protecting the folder, and one identifying the user.I know it is possible, because I have seen several systems using it. And I don't really see why I should do a popup login screen with Javascript, there wouldn't be much sense making one. A popup login like .htaccess made with javascript wouldn't be more useful than a regular login form.I have to use .htaccess. There is no way, as far as I know, to make better login system which protects all types of files (PSD, JPG, GIF, EXE, ZIP, RAR, and so on) except .htaccess. But again, I want to make it possible to allow the .htaccess login to work for the PHP files, so the user don't have to log in twice.

[michaelper22 0]

I will look into this for you. As I said, there is a way to do this. like cPanel did. Just give me some time - might have a sloution by the afternoon (my time - as I post it's 10:40 AM).

[Amezis 0]

Ok, great. If you're able to find a solution, then I would be very grateful!

[michaelper22 0]

I did some research, and came up with these to findings:

'PHP_AUTH_DIGEST'When running under Apache as module doing Digest HTTP authentication this variable is set to the 'Authorization' header sent by the client (which you should then use to make the appropriate validation).

'PHP_AUTH_USER'
When running under Apache or IIS (ISAPI on PHP 5) as module doing HTTP authentication this variable is set to the username provided by the user.

'PHP_AUTH_PW'
When running under Apache or IIS (ISAPI on PHP 5) as module doing HTTP authentication this variable is set to the password provided by the user.

'AUTH_TYPE'
When running under Apache as module doing HTTP authenticated this variable is set to the authentication type.

I got this from the PHP manual (http://us2.php.net/manual/en/reserved.variables.php).
Edited October 10, 2006 by michaelper22 (see edit history)

[Amezis 0]

Wow! That's all I needed! Thanks a lot!!! I can't believe it was that easy, but many, many thanks once again!!

[farsiscript 0]

Dear rvalkasswhich one is better login form pop menu ( .htaccess ) or database ?i know in datbase we can use password in many format like (md5) and .... but i want to know which login is be in safe ?