[nycphp-talk] .htaccess user manager for PHP (similar to Auth Pro by cgi-city.com); mod_rewrite + PHP
Jayesh Sheth
jayeshsh at ceruleansky.com
Fri Dec 10 14:19:15 EST 2004
Hello all,
I was wondering if any of you knew of a PHP-script (either open source
or commercially-licensed) that helps one do the following:
- Password protect all files or select files in a directory using
.htaccess files
- The information in the .htaccess files will be written when the user
selects the files (or directories) to be password protected, and then
adds a username and password that correspond to those protected resources
- Some user info, such as last login date and time and email will be
stored in a MySQL database
- When the administrator adds a new user (thus allowing the new user to
access a specific directory or set of files), that user's info is stored
in the MySQL database and the username and password info is also written
to a .htaccess file. (In this case the admin either chooses a new
password for the user, or one is randomly created by the system.)
- At this time, the user is also emailed with a note saying something
like: "John has added you as a member. Your username is john at aol.com,
your password is 4rgf567u. Log-in at http://www.somewebsite.com "
- An access log should be available, showing who logged in last and when
- Users should be able to add short notes to a guestbook that is visible
to other users
This system should also be able to work with an existing website that is
full of static .html files. The reason .htaccess seems the best tool for
this job is that the potential client already has a boat-load of static
content that is to be protected.
Finally, since the potential client is on a tight budget, the only
option seems to be to buy a PHP script that does all of this and
customize the script as necessary for the client. This will take much
less time than writing it from scratch, and thus fit into this person's
budget. I don't might writing this from scratch (in which case I would
use the htaccess class from pear.php.net ) - but the thing is writing it
from scratch takes longer than just installing and customizing an
existing script.
I came across the following product from cgi-city.com:
http://www.cgi-city.com/authpro/demo.shtml
It is written in Perl, though, which is a bit denser than PHP, and a bit
harder to work with (my opinion only).
Additionally, it is simply TOO feature rich, and the potential client
will likely not have a clue as to how to use it.
Does anyone have any suggestions on how to proceed, or can anyone
suggest an appropriate third-party script?
I searched sourceforge for "htaccess" and came up with a few things, but
I am not sure those scripts are good or easily customizable. If it is a
commercial script, I could only use it if the source code is not encoded
(i.e. is modifyable, even if I am not allowed to redistribute it.)
Another easier idea occured to me, but it involved mod_rewrite. I have
not used mod_rewrite before, but I have read about it. If anyone can
help me with the following mod_rewrite rule, I would be most grateful.
Here's the idea:
- Suppose the client's website is www.abc123.com
- The client has files such as www.abc123.com/one.html and
www.abc123.com/two.html that need to be password protected
- All current .html files are moved from the root web directory to a
sub-directory called "protected". This directory is protected by a
single set of .htaccess username and password that is only available to
the administrator
- The administrator logs into the control panel and whitelists all file
or selected files from the "protected" directory to be
processed/included later (by mod_rewrite and a PHP script). This
whitelist info is stored in a MySQL table
- A mod_rewrite rule is written to say the following: all .html files
accessed from www.abc123.com are rerouted to the following file for
processing: www.abc123.com/load.php?page=chosenpage.html
- The load.php page checks to see if the requested file exists in the
MySQL file whitelist.
- If a user is logged-in, it includes the file. If not, it prompts the
user to log-in.
- The log-in is performed using the PEAR Auth class. The username and
password info (along with user email and last login info) is stored in a
MySQL table.
The advantage of this approach is that one is not dealing with messy
.htaccess files. Additionally, there is no duplication of username and
password data as in the previous case - where the username and password
were being stored both in .htaccess files and in a MySQL database. Thus
all info is in a MySQL database, and works with existing static files.
The user can continue to use Frontpage (or whatever) to modify static
files, and simply upload them to the "protected" directory.
Does anyone know of a mod_rewrite rule to do the rewriting described in
step 5 above?
Maybe this second method is more complication, but I am interested in
hearing feedback.
Thanks in advance,
- Jay
More information about the talk
mailing list