Re: htaccess and a login "page"

At 11:30 -0400 26/09/01, Jeniffer C. Johnson wrote:

>.../...When a member clicks on a "login now" link, I would like the 
>user to be presented with a nice tidy html page with the login form 
>and a "submit" button, rather than the popup dialogue box for 
>entering username and password. Is this doable?

I'm coming in a bit belatedly on this one. This is my take on the 
type of method suggested by Hank Marquardt in his reply.

I've done something similar on my http://www.sharp-words.com/ site, 
but without using .htaccess to protect the "private" directory. 
Instead it uses PHP and cookies.

As the material I'm protecting is just family pictures and documents 
(and my family contains nobody called "bin Laden"), I haven't thought 
it necessary to provide a very high level of security.

However I'm pretty sure there's a way to both provide the kind of 
form you want, and protect the directories where your sensitive stuff 
is at the .htaccess level.

I've a form at the bottom of each page which allows registered users 
to sign on. When they do so, the page script sets a session cookie, 
which is tested for on each access.

All the pages on the site are generated as the same index file at the 
root, with individual directories containing only flat text files and 
PHP table files.

Pages are built on the fly via PHP inclusions. This means that 
accesses to individual subdirectories are made not via http, but via 
PHP.

If what I'm writing here is correct (and I have clear memories that 
it is, although I haven't time to test it right now), the difference 
is crucial.

The only way anyone could get at the actual files in the directories 
on my site is if they were to work out the architecture.

It's true that this shouldn't be too difficult for someone to work 
out, if they reckoned it was worth the bother, although if I really 
wanted to, I could make it less than intuitive by using weird names 
for my data tables, and weird file extensions for the data that would 
take some guessing.

Now I'm pretty certain that placing a ban on http access to a file or 
directory at the .htaccess level *doesn't* prevent PHP from accessing 
the material in question. I seem to remember doing this on a regular 
basis a few years ago.

This means that if you use my method (which as far as I know is 
pretty common, as regards site architecture), you should be able to 
protect your membership information from prying eyes via .htaccess, 
while at the same time letting registered users get to it via a PHP, 
or other server-side, inclusion script.

Any smart Alec who happened to know the name and path data of a file 
in your protected directory - such as the file containing your 
members' names, addresses and bank account numbers - would be unable 
to do so.

Of course, the corollary is that your registered users need to have 
cookies enabled in their browsers, but you can warn them of that. 
(The "session" gizmo in PHP might even avoid using cookies, but I've 
never tried using it, so I'm not sure).

Note, however this method *won't* work if the files you're trying to 
protect are images, or other downloadable files, because the client 
requests those via http.

Hope this makes sense - and is of some use.
-- 
David Sharp, journaliste, France <mailto:david.sharp(at)sharp-words.com>
Site et forum ("Tuyaux")  / Press site & mailing list: 
http://www.presse-en-ligne.com/
Site personnel / Personal home page http://www.sharp-words.com/

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA