如何失败的尝试htaccess的密码保护目录 [英] How about failed attempts for htaccess password protected directories

问题描述

此问题涉及到一个<一个href="http://stackoverflow.com/questions/3177122/recording-logins-for-password-protected-directories">$p$pvious问题我问，但它是一个不同。

This question is related to a previous question I asked, but it's a different.

我使用htaccess的控制登录 http://somesite.com/folder 。

I'm using htaccess to control login to http://somesite.com/folder.

登录后，我有PHP的code。在文件夹/的index.php 来检查用于登录的用户名和密码： $ _ SERVER ['PHP_AUTH_USER'] 和 $ _ SERVER ['PHP_AUTH_PW'] 。我登录的信息到数据库。

Once logged in, I have php code in folder/index.php to check the username and password used to login: $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. I log that info to a database.

这工作时，用户提供了良好的用户名和密码，但是当它是不正确，没有任何反应 - 我想，因为的index.php 永远达不到。

This works when the user supplies a good username and password, but when it's incorrect, nothing happens - I suppose because /index.php is never reached.

有没有办法登陆后还失败的登录尝试？

Is there a way to login also failed login attempts?

推荐答案

有一个简单的方法来做到这一点。在你的.htaccess，添加

EDIT

There's a simple way to do it. In your .htaccess, add

ErrorDocument 401 /path/to/log.php

本 log.php 当登录尝试失败，然后调用（你可以把它保护的目录后面还有，它会即使登录失败到达） 。请注意，浏览器不知道的一些资源是否需要身份验证，因此您总能获得一个命中的第一次尝试。这些尝试，但不会包含任何用户名，您可以检测到它们（当然，你可以当用户输入任何用户名的区分开来，但你的想法）通过检查 $ _ SERVER ['PHP_AUTH_USER '] 是空的。

This log.php is then called when a login attempt fails (you can put it behind the protected directory as well, it will be reached even though the login fails). Note that the browser doesn't know whether some resource needs authentication, so you'll always get a hit for the first attempt. These attempts, however, will not include any username and you can detect them (well, you can distinguish them from when the user enters no username, but you get the idea) by checking whether $_SERVER['PHP_AUTH_USER'] is empty.

哦，不，正如你所说的的index.php 永远也无法达到。

Well, no, as you say /index.php is never reached.

你可以做的就是不要依赖于Apache的所有，只用PHP处理验证。这手册页告诉您如何。这有一个很大的缺点。比方说，你保护整个目录。这个目录有PHP文件，图像和诸如此类的东西。现在，强制执行身份验证，必须航线都通过一个PHP文件。如果你有PHP文件，你可以用一个包含做到这一点。如果你有静态的满足，你必须通过读取并输出静态内容，这会伤害性能PHP文件重写规则路线。

What you can do is not to rely on Apache at all and handle the authentication only with PHP. This manual page shows you how. This has a big disadvantage. Let's say you protected an entire directory. This directory has PHP files, images and whatnot. Now, to enforce the authentication, you must route everything through a PHP file. If you had only PHP files, you could do it with an include. If you have static contented, you must route it with a rewrite-rule through a PHP files that reads and outputs the static content, which will hurt the performance.

这篇关于如何失败的尝试htaccess的密码保护目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！