try this

[php.net...]

Yes, I have that problem too. I have never solved it either. If you prompt for a password with PHP and then with htaccess you would think they could share the same login info and not double prompt.

I suspect if the realm is the same the username and password that is already entered will get passed to the second one. But I have yet to get this to work.

If anyone has this working let us in on the trick.

I force a login to a directory with no .htaccess file like so

if (!in_array($PHP_AUTH_USER, $authorized) && !in_array($PHP_AUTH_PASS, $authorized))
{
$error_msg = "<html><head><title>No permission to access resource</title></head><body>Sorry, your userid has no permission to access this resource.</body></html>";
Header ('WWW-authenticate: basic realm="Restricted Access"');
Header ("HTTP/1.0 401 Unauthorized");
echo $error_msg;
exit;
}
this draws on an array but could just as easily have loaded said array from a DB. When I have logged in as such and switch to a different directory with an .htaccess file i am not required to relogin. I am not really sure if this is what you mean or not.

If you prompt for a password with PHP and then with htaccess you would think they could share the same login info and not double prompt

I'm rather a beginner (so lots of things that I think are impossible are possible and vice-versa), but I wouldn't think this would be true. My reasoning is as follows:

PHP has no way (that I know of) to get access to the authentication information requested by the server and no way to check the .htpass file.

On the other hand, the .htaccess/.htpass files have no way of checking your database.

I think the first poster is right - you need to skip the .htaccess file and use just PHP authentication. If you then add in server authentication, you then have a double layer of security.

Tom

Reply to the original poster...

There are many ways to do this thing. First of all, you can use a different basic authentication method than using .htpassword lookup, if you are lucky enough to use Apache as the back-end. There are tons of mod_auth modules that can authenticate the users against PAM, database tables, Kerberos, external program, etc. You can basically set up your .htaccess to authenticate against your DB, where the username+password is stored.

You should also be able to obtain the username, if he/she has been authenticated by the .htaccess/.htpassword, from your PHP scripts. You should be able to get this information from your environment variable. Try something like $HTTP_SERVER_VARS['REMOTE_USER']. After you have retrieved the username, you can also use that information to check against your own DB, so that you don't need to authenticate the users twice.

Thanks for your responses but I think some of you may be getting the wrong end of the stick. I'll try and explain better:

1.
I use Urchin for producing traffic reports for my customers. Currently they log in at a specific URL which as protected using .htaccess. Since this is an integral part of the software, I am NOT going to try and alter that in any way, since it would probably void any warranty etc.

2.
I'm developing a customer-only site where they can view various bits of information. Access to this area is protected by a PHP/MySQL log in. The database contains exactly the same username and passwords as used in the Urchin .htaccess and .htpasswd files. I did this in the hope that once they were logged into this area, when they clicked on a link to view their urchin stats they would not need to log in again.

So what I want to do in essence, is tell Urchin that the user is already logged in, and here are their log in details, so don't ask them to log in again.

Clear as mud probably!!

RFC 2617 - rfc 401 http realm [ftp.ics.uci.edu]

Have you tried to set the realm to be the same?

rycrostud,

How do you currently authenticate your users in (2)? You mentioned that you have placed the username and password in a database, but how do you actually prompt the users with authentication requests? Are you using http basic authentication (mentioned in http-auth chapter of PHP manual), or are you using a customised login form?

If you use the http basic authentication (sending back 401, etc), then as Lisa has mentioned before, you need to make sure that they are set to the same realm. However, if you are using login forms + cookie/session in your own applications, then things do get a bit trickier...

This is how my .htaccess files look

AuthType Basic
AuthName "Restricted Area"

Auth_MYSQLhost localhost
Auth_MYSQLusername root
Auth_MYSQLpassword
Auth_MYSQLdatabase members
Auth_MYSQLpwd_table users
Auth_MYSQLuid_field username
Auth_MYSQLpwd_field clearpw
Auth_MYSQL_EncryptedPasswords off

<LIMIT GET POST>
require valid-user
</LIMIT>

One simple method for passing login information to .htaccess is to pass the username and password in the URL. NOTE: The username AND password are case senstive!

[MyUsername:MyPassword@mydomain.com...]

Welcome to WmW PHPersona

just a thought, wouldn't you think putting the username and password in the url would defeat all purpose of security and possibly open up a large hole in otherwise secure areas?

I must agree. It is not the most secure method to access protected directories. But, it is a method nevertheless.

A secure way of using this method is to create temporary username/password combos in an .htaccess file for a single session pragmatically (easily done with PHP), than pass those for authentication. Delete them from the .htaccess file when the session is finished.

I, of course, would love to hear an alternative way to pass authentication to .htaccess transparently.

fair enough,

I don't think we figured anything out on this, we all seem to have our own way of working through or around it.

Don't you just hate settling though? When you know there has to be a perfect way of doing it, somewhere in the twisted code that we code?

P.S.
Thanks for the welcome. :)