TL;DR is there some way to set the REMOTE_USER variable when bypassing .htaccess login?
I have a login and authentication system running in php on my website. In order to control access to a subdirectory I would like to use http basic auth with .htaccess (I am somewhat limited in my options here because of what my shared hosting instance offers). This answer worked for me for allowing the visitor logged-in with php to avoid having to enter login information a second time in a basic auth dialog.
Bypass .htaccess login when user has a specific cookie SetEnvIf
But I am struggling with one issue now:
The above method works, but htaccess doesn't seem to know the visitor's username. In an ordinary htaccess login, htaccess would set the REMOTE_USER variable upon login.
Is there an alternative way I make htaccess retrieve the username of the php user and so set the REMOTE_USER variable (maybe using a second cookie)? I need this because after auth the visitor should pass through to a mediawiki site.
Here's another question that goes in the direction of what I am trying to solve:
How do I make a PHP variable accessible to .htaccess?
In the case described at the link above, answers suggest making a php variable accessible to htaccess is not possible, because the php and .htaccess are in the same directory. In my case, the .htaccess concerned is in a subdirectory to which the visitor navigates after the php log in. Is it then possible to have the REMOTE_USER set, e.g., on the basis of $_SERVER['REMOTE_USER'] that is set by php?
Related
With my current PHP knowledge, I know how to create a subdomain automatically via Plesk api when a user is created on my site. I can then redirect the user.example.com to example.com/user via htaccess.
My question that I cannot figure out how to do, is how to redirect but also keep user.example.com in the navigation bar, not the example.com/user ?
I own a dedicated hosting environment so I have access to change pretty much any setting that I like.
Here are some suggestions:
Don't use .htaccess for this. A very common use of .htaccess is to redirect all requests to a central file (generally index.php).
In order to allow dynamic subdomains you need to make sure your virtual host is configured properly for that.
And in order to redirect to the subdomain url you can use the built-in php function header.
Example:
header('Location: '.$subdomainUrl);
we are running an online portal which is available via different domains (e.g. example.de, example.at, example.ch) as well as variations of it (e.g. exam-ple.de) and payment for all countries is done via secure.example.com, so it is not possible to access cookies on secure.example.com which were set on example.de.
First question (not directly refering to cookies):
Is it possible to forward a user from exam-ple.de to example.de without loosing the referer information? Maybe with .htaccess?
Second question:
Is it "dirty" to store all cookie names in a configuration file and then pass all cookies via GET everytime the user gets forwarded to another domain name and reset the cookies? I can only think of this one solution to make cookies available on different domains... Or does anyone has a better solution for the problem?
Best regards,
Freddy
To answer your first question, assuming that you are using apache2 as the web server (you told about .htaccess) , I would suggest using mod_rewrite for redirecting the urls to a different domain. When using mod_rewrite you are enabled to set cookies
Also you can create a php script that forwards to your domains and sets the cookies. It might be called like www.yourdomain.com/forward.php?target=at&....
I'd like to have logged in users access to certain directories only. For example, have the following directory structure:
/stuff/user-a/pic.jpg
/stuff/user-b/file.doc
I'd like Apache to only give user-a access to /stuff/user-a and give a 403 if he tries to reach /stuff/user-b
Now, I've been reading and it seems to be possible to do this with REMOTE_USER and mod_rewrite. Which will make it even better, as i could rewrite it as /stuff -> /stuff/$REMOTE_USER
The problem is, I don't want the ugly browser popup. My PHP application already has a login form and a session. From what I've been reading, it is possible to use basic HTTP authentication as an auth method for PHP (to login as http://user:pass#stackoverflow.com). But the opposite (passing a web form to the HTTP authentication) doesn't seem to be possible.
I would also like to avoid using something as mod_xsendfile, as I'd rather not use any "proxy" scripts to handle this, and let Apache take care of access.
I'm trying to create an UnderConstruction page for my new site.
I would like to retain all the core files (files that are part of the site) without modification while I try to implement this. This includes leaving the index.php intact.
Currently, I have an .htaccess setup to authenticate on any access to the site.
I want to redirect any user accessing any page (at least the index.php) to an UnderConstruction page and then leave a link there which my dev team could use to authenticate themselves and continue using the site as usual.
But in order to leave the core files intact, I would have to initiate the htaccess type authentication & then in index.php (assuming that index.php is excluded from the cuth) check the auth status.
I tried to play around with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] but these (as I understand) requires me to manually implement the authentication scheme (ie checking against a list of username & passwords).
I'm working on an apache with php5 on a linux server.
Any ideas?
You should just mirror the dev version of the site to a subdomain like dev.mysite.com and then keep the under construction stuff on the main domain. This way you can secure the dev domain and still keep your under construction page going and the two will be isolated.
put this on htacces for each file u wanna lock
Redirect /file.extension http://www.uroot.com/index.php
I am working on a project using zend framework, php, mysql on ubuntu.
I have created hostname test.dev on my local machine and using zend authentication. When an user is authenticated using zend authentication, I set session variable for logged in user id. I use this session variable(userid) on different pages to sure authentication.
Question:
Now I have to create a subdomain. I have created a new hostname mypage.test.dev on my local machine. Both hostnames are pointing to same directory, for example /var/www/test/public. But when I login on test.dev, I have to login again on subdomain mypage.test.dev. Even session variables of test.dev are not accessable on mypage.test.dev.
How can I login on all subdomains using one login?
Thanks.
Session variables are stored specific to each specific domain address. And so if a website is coded poorly and you login to http://mydomain.com and then later access the site as http://www.mydomain.com, you will encounter the same error.
One possible solution to this is to setup a webservice that allows you to access the other domain and retrieve any stored session variables as well as authenticate the user. So for example, if I login to test.dev and then later go to mypage.test.dev, a call will be issued to test.dev/auth-service/ by mypage.test.dev to authenticate the user and if it is successful, then return all stored session variables so that they can be stored by mypage.test.dev.
Perhaps a cleaner approach would be to always access session data only from one domain or the other and to always access it strictly through the web service so that the interface to session data remains consistent across both sites. This does present a possible performance though since it is obviously faster to simply access session directly rather than through a web service.
You are looking for this:
http://blog.pracucci.com/2008/09/24/zend-framework-and-session-cookies-across-subdomains/
After some time I have got my solution.
I added following line into config.ini
session.cookie_domain = .test.dev
then added the following line into Bootstrap.php
Zend_Session::setOptions( $this->getOption('session') );
and session variables are working for all subdomains of test.dev