Individual Script Authorization

[Uranium-235]

Have you ever wanted to give scripts individual access without having to create your own cookie authentication method? Well...you could just use a little http header trick to do just that! I found this out last night, and played with it a little, and I think it's worth ppl knowing. You know what .hacccess is? It's a file that some web server can read (mainly apache) and if apache encounters it, it will send certain headers to the persons broswer asking for a username and password (yeah you've seen them before, little window that pops up with the key in Internet explorer).

Well you can do this with PHP also! And the wonderful people at php have built it so it will send the username and password the user enters into global varibles your script can access!

I admit if you want to password an entire directory it's best to use .htaccess. This is cause files inside the directory will still be able to be accessed if you use script authentication, even with a index.php. And .htaccess will password the directory it's in and all directories under it. Like if it's in /foo/ the directory /foo/images/ will still be protected, with script authorization /images/ will not be protected. However some server might not support .htaccess, so this might be a good idea. With .htaccess, it stores it's passwords in a sperate file that can be specified in .htaccess. This is somewhat limited. With script access you can get passwords off databases to authenticate the user, or you can use your own file also. .Htaccess passwords are also encrypted in it's password file. You can do this in php with crypt() if you know how to (and I do). Click on the link below and enter in the username "username" and the password "password"  ...WITHOUT the quotes

http://dynamic2.gamespy.com/~extreme/scripts/test.php

Once they've entered in the correct username and password, you won't have to put it in again, cause the browser will automatically send your username and password into the script each time you access it. As well PHP will keep the value $PHP_AUTH_USER in it's set every time you access the script...until you close your browser window.

[Keefe]

This could be useful for my next project on Hardware Pub and Netsmog.  Thanks for the info!

One question though, how long does that cookie last?

[Uranium-235]

Jesus Christ! when I clicked on this thread a second ago thier was no reply! You musta of posted while I relooked at it! haha

the cookies kill when you close the broswer window you typed your password & username in (I'm not sure about popup windows though)


Edit: It seems if it works in a popup window with the same name (target field in the a href tag). Cause I just clicked on that link again and it let me through. So I'm guessing the once the parent window closes it will kill the cookies

[Keefe]

Ok...
I have some admin pages for hardwarpub and their are a bunch of different logons...Can i make a script that would authorize the others when i logged in to one place?

[Uranium-235]

you mean make you able to access all of them? and other people only some of them? sure, with mysql, and some work

[Keefe]

Great

Thanks!

Great tip there Uranium-235!  This was something I was looking for.  Although I don't know how to program in PHP yet, I'm sure one of my buddies could use this bit of info.  We're actually trying to make an online survey for our Residential Network services on the job that we did for users.  However, we also need to authenticate who they are in order to minimize the amount of pranksters that would submit false surveys.  Great job! Thanks again!