Welcome to the MacNN Forums.

ultra-V · Aug 25, 2004, 11:22 PM

I currently have a series of password-protected extranet pages set up for my clients using htaccess. But I am wondering if I can simplify the login by sending all of them through one login page. When they put their username and password into the form, it would take them to their individial directory based on what username they input (I would probably use the directory name as the username).

For example, on the login page (www.sample.com/login.htm) if they input "bob" into the username field and the correct password, they are taken to www.sample.com/bob/ but if they input "jane" into the username field and the correct password, they are taken to www.sample.com/jane/

Is this possible? Difficult to implement?

Thanks for your help!

Truepop · Sep 1, 2004, 03:17 PM

Are you able to run perl or php scripts with mysql?

Have you thought about using a script and database to handle this instead of htaccess and htpasswd because there are a few out of the box open source solutions at sites like www.hotscripts.com that use a php or perl and database to do what you want pretty easily.

york28 · Sep 1, 2004, 04:28 PM

Very possible, very doable. Basically, the client accesses a page where they log in, and this data is submitted to a script that checks their username/password against the ones stored in the database. Based on this matching, that client's directory path is retrieved from the database, and an HTTP redirect header is sent to the user's browser. Each user's pages will need to have a PHP include statement that loads the auth code, or else anyone will be able to access the files by simply knowing the url. For this you will end up using cookies most likely. You could also use sessions if you are careful.

Using the username as the directory makes this a little simpler, but not much.

There are probably existing solutions that would do this, as Truepop said.

Synotic · Sep 1, 2004, 05:13 PM

If I recall.. maintaining sessions, which seems to be what you're trying to do was rather annoying to do securely, as I remember it from a book I had read. But a pre-made script would probably work well.

philzilla · Sep 2, 2004, 01:00 AM

if you have PHP, MySQL & Dreamweaver, you can do it yourself in a few clicks. check out the User Authentication server behaviour.

(apologies to larkost for mentioning MySQL, and not telling the poster to learn Oracle)

larkost · Sep 2, 2004, 11:25 AM

If the number of users is small, I think that the original poster had a good idea with using htaccess and directory names that match the user name. There doesn't seem to be any need for a database, unless you start to get very large, and want to have names that don't match directories (like multiple logins to the same directory).

You can leave your htaccess in place, and simply add a re-write rule after the htpasswd part. I have not tested this, but it would probably look like:

Code:
RewriteEngine on
RewriteBase /virutal/path/to/site/root/
RewriteRule ^(.*) %{REMOTE_USER}/$1

philzilla: you still aren't funny.

ultra-V · Sep 27, 2004, 02:16 PM

Okay, sorry for the delay, I had left this thread for dead after no responses for a week.

Anyway, I'd rather do it without a database, if possible. So, I'm curious about your solution, larkost. I leave the htaccess in the protected directory, yes? What do I put in the username/password form page; ie how does it know which directory to go to based on the username?

Any explanation would be helpful, I'm a lightweight, coding-wise.

Thanks!

larkost · Sep 27, 2004, 04:46 PM

The magic of the solution I proposed is that once the user is authenticated via http authentication his/her user name is available to anything that uses the apache api, and that includes the rewrite engine. So, if you are going to use the usernames in your htpassword file as the directories that you want people taken to, then you let the rewite engine do the work for you. Whenever someone logs on, they are taken straight to the directory. The don't actually see this, as it is all handled in the background by apache.

Here is a quick sample I whipped up that I think is pretty secure:

Code:
AuthUserFile /Library/WebServer/Documents/passwordtest/.htpasswd
AuthName "password test"
AuthType Basic

require valid-user

RewriteEngine on
RewriteBase /passwordtest/
RewriteCond %{REQUEST_URI} !^/passwordtest/users/
RewriteRule ^(.*) users/%{REMOTE_USER}/$1
RewriteCond %{REQUEST_URI} ^/passwordtest/users/$
RewriteRule (.*) .

There are a few things you would have to change to make this work on your system:

I have the .htpasswd file in the same directory, this is generally not a good idea. You can put it anywhere you want, you just have to adjust the path.

I named the directory passwordtest, you would need to change all instances of this for your own uses.

You have to have a "users" folder inside the main directory, and a folder for each user inside this. The users folder is needed due to a limitation in the RewriteCond code.

You would probably want to change the AuthName to something better.

ultra-V · Sep 28, 2004, 11:03 AM

Thanks for your help, larkost. And how do I code the login form to handle the username/password info to allow them to log in?

Sorry if this is an elementary question.

larkost · Sep 28, 2004, 12:02 PM

There is no form. If you just setup it as I have it described a window will popup and ask it for you.

ultra-V · Sep 28, 2004, 03:55 PM

Sorry if I wasn't clear. As I had noted in my original post, I was hoping to have all users go through the same login page, as opposed to the standard popup window. A little more elegant in my opinion, but not necessary.

I'll give it a try as you described.

Thanks!

larkost · Sep 28, 2004, 05:19 PM

It is possible to do this through some sort of scripted page (PHP, CGI, ASP, etc..) but you are not going to get away with as few lines as the method I outlined. Unfortunately I don't know any way of mixing true HTTP authentication with in-page systems (well... not in this direction, the other way is easy).