hiding .htpasswd access from users?

Forum Moderators: coopster

Message Too Old, No Replies

hiding .htpasswd access from users?

Access files in a secure directory without typing in a second password?

andyd273

7:30 pm on Jun 10, 2005 (gmt 0)

I have a directoy that is secured with .htaccess and .htpassword. The directory should only be accessed by registered users which are already logged in using mysql/php.

The directory will only contain a bunch of pdf files, but I dont want people that arent logged in to see the pdf files, and I dont want to enter 3000 users into the htpassword directory, and I dont really want the people that already logged in to have to log into the secure directory again.

My ideal sollution would be to have the user click on the link for the file they want to see, and have the PHP file enter the username and password of the secured directory, and open the file for the user so they dont even have to know that its secure. that way any user can look at the file, but if someone just tries to type in the direct address of the file, they'll get a password prompt.

Any ideas? Is this possible?

Andy

coopster

12:15 am on Jun 11, 2005 (gmt 0)

Welcome to WebmasterWorld, andyd273.

Yes, it is possible, but I have never done it that way myself. I would keep the documents below the document root and if a user requests one of the docs you would authenticate them using your current database/authentication setup, read the file into a string variable, then push your own headers and the file down to their browser.

andyd273

1:19 pm on Jun 13, 2005 (gmt 0)

yeah, that sounds complicated too... any idea where I can look to find out how to convert from a pdf to a string and then back to a pdf? or at least something that acrobat can read?

or if anyone can give me any hints on how to do it the .htaccess/htpasswd way that would be cool to.

I dont really care how it ends up working, as long as it works :)

[edited by: andyd273 at 1:26 pm (utc) on June 13, 2005]

coopster

1:20 pm on Jun 13, 2005 (gmt 0)

PHP Filesystem manual pages, the readfile() [php.net] function works well for this.

andyd273

5:15 pm on Jun 13, 2005 (gmt 0)

hmm, ok that kinda worked.
when I put the get file stuff into a php document by itself it worked great, but when I tried to put it into the normal page it echoed the file into the browser instead of asking if I wanted to download the file.

<?
echo "<html><head><title>Newsletter Archive</title></head><body>";
include_once("include/session.php");
if(!$session->logged_in){
header("Location: main.php");
}
else{
if($filename){getFile($filename);}
?>

Welcome to the Newsletter Archive.<br>
More Coming soon!<br>
<p>
<script>
function input(){
document.archive.filename.value="GMPP_Letter_10-7-2004.pdf";
document.archive.submit();
}
</script>
<form action="archive.php" id="archive" name="archive" method="post">
<input type="hidden" name="filename" id="filename">
<ul>
<li><a href="javascript:input()">GMPP Letter 10-7-2004</a></li>
</ul>
</form>
</p>

<?
}
function getFile($theFile){
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/pdf");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$theFileName");
readfile($theFile);
}
echo "</body></html>";
?>

andyd273

6:27 pm on Jun 13, 2005 (gmt 0)

ok, I played around with it, and got it to work:

but now when it prompts to open, it always gives the file name as archive.pdf (archive.php is the name of the php file). is there a way to make it give the real file name for the pdf that it is opening?

<?
if($filename){
$path = "../../nlArchive/";
$theFile = $filename;
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/pdf");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$theFileName");
readfile($path.$theFile);
}
else{
include("include/session.php");
if(!$session->logged_in){
header("Location: main.php");
}
else{
echo "<html><head><title>Newsletter Archive</title></head><body>";
?>

<?
echo "</body></html>";
}
}
?>

andyd273

2:52 pm on Jun 14, 2005 (gmt 0)

never mind, figured it out:

header ("Content-Disposition: attachment; filename=$filename");

coopster

5:53 pm on Jun 14, 2005 (gmt 0)

Yep, that's it. Until MS IE comes along. Were you able to get MS IE to retain that filename for you? I've had issues with it in the past (over SSL at least). There are a ton of known issues when it comes to IE and SSL/PDF work. I'll be interested if you were able to get MS IE to retain the filename.

andyd273

7:24 pm on Jun 14, 2005 (gmt 0)

it seems to be working fine.
I click the link for the file that I want to open, and it comes up with the right file name. I kind of trick it into picking the right name though. I found the readdir function, and so I have it automatically search through the directory and get all of the file names, add them to the list automatically, and set the filename when a link is clicked.
here is my final verion (for now anyway). tested in IE and FireFox

<?
if($filename){
$path = "../../nlArchive/";
$theFile = $filename;
header("filename=\"$filename\"");
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/pdf");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$filename");
readfile($path.$theFile);
}
else{
include("include/session.php");
if(!$session->logged_in){
header("Location: main.php");
}
else{
echo "<html><head><title>Newsletter Archive</title></head><body background='../Images/bg.jpg'>";
include("include/header.php");
echo '<div id="Body" style="position:absolute; width:461px; height:392px; z-index:0; left: 306px; top: 160px; overflow: auto; overflow-x: hidden" class="bodytext">';
?>

<span class="header">Welcome to the Newsletter Archive.</span><br>
<p>
Back to [<a href="main.php">Main Page</a>]
</p>
<p>
<script>
function input(filename){
document.archive.filename.value=filename;
document.archive.submit();
}
</script>
<form action="archive.php" id="archive" name="archive" method="post">
<input type="hidden" name="filename" id="filename">
<ul>
<?
if ($handle = opendir('../../nlArchive')) {
while (false!== ($file = readdir($handle))) {
if ($file!= "." && $file!= "..") {
$temp=explode(".",$file);
echo "<li><a href=\"javascript:input('$file')\" onMouseMove=\"javascript:window.defaultStatus='welcome'\" onMouseOut=\"javascript:window.defaultStatus=''\">$temp[0]</a></li>";
}
}
closedir($handle);
}

?>
</ul>
</form>
</p>
<?
echo "</body></html>";
}
}
?>

coopster

1:56 pm on Jun 15, 2005 (gmt 0)

Exactly, I had to trick it by specifying the filename in the link too, and that was the only workaround that was successful.

Every other brower behaves as it should, but MS IE ignores standards, RFC2616 to be specific. We have to make fake <a href> links in order for MS IE to act like a real browser that respects standards (if we don't, MS IE will not *use* the filename in the parmameter specified).

andyd273

9:09 pm on Jun 15, 2005 (gmt 0)

Thanks for the help and ideas. always learning

coopster

11:17 pm on Jun 15, 2005 (gmt 0)

Thanks for taking the time to work through it, hit the issues and figure out how to resolve them. And, more importantly, sharing your findings. I thought I was the only one that ran into this issue! Like you, I'm also still learning -- aren't we all! If not, you aren't pushing it far enough yet ;)