Website and Server Administration Forum

**Physicsguy** · 01:35 PM

Hi guys,

I have a script that, when you enter the directory the .htaccess file is it, it makes you authenticate. When you authenticate correctly, it redirects you to your subdirectory. For example, if I successfully logged in as 'Physicsguy', it would redirect me to 'physicsguy/'. The problem is, though, is not allowing the URL to be changed and allow Physicsguy into admin/.

Here is my script:

.htaccess:

Code:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile (path to .htpasswd)/.htpasswd
Require valid-user

Example .htpasswd file:

Code:

person1:.mawDZ5WDShOM
person2:PNFL7nw0WksGU
person3:7ju7Ox/UWYoRI

*The passwords are pass1, pass2, and pass3*

PHP file inside the directory that the user sees when they authenticate successfully:

PHP Code:


			
<?php
//$_SERVER['PHP_AUTH_USER'] = Entered username
//$_SERVER['PHP_AUTH_PW'] = Entered password
if (!isset($_SERVER['PHP_AUTH_USER'])){
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}
else {
    header("Location: ".strtolower($_SERVER['PHP_AUTH_USER'])."/");
}
?>

So how can I get it to ask you to reauthenticate if you try to access somebody else's directory? Of course, I'd like an easy solution, rather than have custom .htaccess and .htpasswd files for EACH directory (I have a lot).

Thanks!

-PG

**chrishirst** · 09-10-2011, 01:39 PM

Quote:

have custom .htaccess and .htpasswd files for EACH directory

Correct.
.htaccess directives affect the directory that the .htaccess file is in AND all sub-directories in the tree for that directory

**Physicsguy** · 09-10-2011, 01:41 PM

So how can I modify the top-level .htaccess to only allow authenticated users to access their own subdirectory?

[/htaccess nub]

**chrishirst** · 09-10-2011, 01:54 PM

Quote:

Originally Posted by Physicsguy

So how can I modify the top-level .htaccess to only allow authenticated users to access their own subdirectory?

[/htaccess nub]

Use PHP to authenticate and redirect.

**Physicsguy** · 09-10-2011, 01:56 PM

Yes, but that would mean I'd need to have (a) certain file(s) in each directory to make it work. These are random people I'm dealing with, and if somebody just deleted that security file, their account would be open.

**chrishirst** · 09-10-2011, 04:22 PM

Not really, you just need an index file in the top level folder that unlocks the permissions on the relevant folder [shell_exec('chmod 777 path\username');] and set them back to 644 or 755 when the user logs out.

**Physicsguy** · 09-10-2011, 04:40 PM

Ah, I see. Thanks anyway, Chrishirst

I did manage to just make a script that automatically creates a .htaccess and updates the main .htpasswd. The user just needs to enter their desired password, and it'll go.

Here it is, if anybody's interested:

PHP Code:


			
<?php

$hLoc=str_replace('/'.basename(__DIR__),null,dirname(__FILE__))."/.htpasswd";

if(isset($_POST['p'])){
    $f=fopen('../.htpasswd','a');
    fwrite($f,"\n".basename(__DIR__).":".crypt($_POST['p'],base64_encode($_POST['p'])));
    fclose($f);
    $h=fopen('.htaccess','w');
    fwrite($h,"AuthUserFile $hLoc\nAuthGroupFile /dev/null\nAuthName \"".basename(__DIR__)."'s files\"\nAuthType Basic\nrequire user ".basename(__DIR__)."");
    fclose($h);
}
else{
?>
<form action="protectme.php" method="post">
<div><label>Password:</label> <input type="password" name="p"/><input type="submit" value="Protect"/></div>
</form>
<?php
}
?>

That will password protect the directory you run the script from, as well as update the .htpasswd file which is assumed to be one level up from the protected directory.