Problem with HTTP Auth

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
i have a problem concerning a php script i worte some time ago.
It is a rather simple thing. On a Site you login via a html form which
points to a php that checks the username and password, and knowing this
it sends each user to his own http atuh protected directory.

i used for each of them.

all of these directories are protected with basic auth of apache
there are pdf and other downloadable files there
and one php index page with links to the files.

ie6 sp2 does no longer support user:pass@ notation.
all other browsers do (as i know):
mozilla/firefox/epiphany/konqueror/opera/even lynx
nevertheless i'd like to support ie too

one solution is that i link to ans the browser
would ask for the username again, which is ugly

another solution is that i do not user http auth, protect the php vom
viewing, but everyone nowing a deeplink could download the files, which
i definitly don't want.

one more solution could be links to each users directory and only the
browser asks for user and pass, but no user should (in ideal case) know
that another user exists. i don't want a page (viewable for all) where
there are all users listed.

okay, ... deeplinks are also not what i wand. no user should have to
type deeplinks to his dir.

the problem is that ie does not only trow another login box, this would
be okay if other browsers work "normally". but ie gets an error
page.... syntax error. which i don't like to see.

so.: i hope the problem is clear.
i use header(Location: ???) for redirection.
i tried some hacks to include Auth credentials in the header, but had
no success.

any solution providing protection for my downloadable files, working in
all browsers would be a charm.

thanks in advance


Re: Problem with HTTP Auth wrote:
Quoted text here. Click to load it

Still, this sounds like the best solution. The problem being that the way  
this works with IE, is that it remembers your input and re-sends it with  
each page request that includes an authentication header.

The only thing you need to change is the "again" bit for IE users...


Re: Problem with HTTP Auth

yes, thats true but in firefox&co it also remembers and resends the
information allthough it has never been entered into the ugly browser
box, but only in my form.
and i think it is not possible to let users input the user/pass
combination twice. once into the form, and a second later into the
dialog box of the browser. this is ugly. really.

Re: Problem with HTTP Auth wrote:
Quoted text here. Click to load it

One way to do it is with Apache rewrite. When the user logs in, the PHP
script adds an entry to a rewrite map, with the user's session id
pointing to his user name. When the tries to user accesses a file in
his folder, mod_rewrite would get the user's session id from the
cookie, then check to see if a matching entry in the rewrite map. If it
exists, it rewrites the url to the private folder, using the user name
from the map. If not, it sends the user to a page showing an error

Site Timeline