|
|
Posted by Chung Leong on 03/19/06 03:24
Thomas.Firnschrott@gmail.com wrote:
> i have a problem concerning a php script i worte some time ago.
> It is a rather simple thing. On a Site you login via a html form which
> points to a php that checks the username and password, and knowing this
> it sends each user to his own http atuh protected directory.
>
> i used http://user:p...@domain.com/user for each of them.
>
> facts:
> all of these directories are protected with basic auth of apache
> there are pdf and other downloadable files there
> and one php index page with links to the files.
>
> problems:
> ie6 sp2 does no longer support user:pass@ notation.
> all other browsers do (as i know):
> mozilla/firefox/epiphany/konqueror/opera/even lynx
> nevertheless i'd like to support ie too
>
> one solution is that i link to http://domain.com/user ans the browser
> would ask for the username again, which is ugly
>
> another solution is that i do not user http auth, protect the php vom
> viewing, but everyone nowing a deeplink could download the files, which
> i definitly don't want.
>
> one more solution could be links to each users directory and only the
> browser asks for user and pass, but no user should (in ideal case) know
> that another user exists. i don't want a page (viewable for all) where
> there are all users listed.
>
> okay, ... deeplinks are also not what i wand. no user should have to
> type deeplinks to his dir.
>
> the problem is that ie does not only trow another login box, this would
> be okay if other browsers work "normally". but ie gets an error
> page.... syntax error. which i don't like to see.
>
> so.: i hope the problem is clear.
> i use header(Location: ???) for redirection.
> i tried some hacks to include Auth credentials in the header, but had
> no success.
>
> any solution providing protection for my downloadable files, working in
> all browsers would be a charm.
>
> thanks in advance
>
> thomas
One way to do it is with Apache rewrite. When the user logs in, the PHP
script adds an entry to a rewrite map, with the user's session id
pointing to his user name. When the tries to user accesses a file in
his folder, mod_rewrite would get the user's session id from the
cookie, then check to see if a matching entry in the rewrite map. If it
exists, it rewrites the url to the private folder, using the user name
from the map. If not, it sends the user to a page showing an error
message.
Navigation:
[Reply to this message]
|