PHP和.htaccess身份验证解决方案 [英] PHP and .htaccess authentication solution
问题描述
这里是布局:
web root
- admin (dir)
- index.php
- js
- img
- other files / dirs
- dir
- files
直到现在,我都使用.htaccess passwd保护了管理员目录,因为我想对该目录中的所有文件(包括js脚本,jpg,pdf等)进行完全访问控制。另一方面,我的自定义CMS使用PHP会话/ cookie为其他URL提供身份验证。我要完成的工作是对受.htaccess保护的目录使用相同的PHP身份验证,避免为已经经过PHP身份验证的用户弹出弹出的用户名/密码提示。总结:
Until now, I protected the admin dir with .htaccess passwd because I want full access control for all files in that dir (including js scripts, jpg, pdf etc). On the other hand, my custom CMS provides authentication using PHP sesssion / cookie for other URLs. What I want to accomplish is to use the same PHP authentication for the .htaccess protected dir, avoiding the popup prompt for user / password for already PHP authenticated users. In summary:
- 我希望管理员目录使用.htaccess规则进行身份验证
- 如果用户已经使用PHP进行了身份验证(以HTML格式登录,位于不受保护的文件上),在访问管理员目录内容时绕过第二个.htaccess身份验证过程。
- 如果非PHP经过身份验证的用户尝试访问管理目录中的内容,应该触发HTTP身份验证弹出窗口
我读过的大多数内容建议将管理目录移到Web根目录之外,并使用readfile从PHP脚本访问文件,我不想这样做。该目录上有动态内容,也有静态内容。我知道apache会在加载任何资源之前触发auth弹出窗口,因此问题是如何使apache知道用户已通过身份验证。还有其他建议/解决方法吗?
Most of the stuff that I've read suggest to move the admin dir outside the web root and access the files from a PHP script with readfile, which I don't want to do. There's dynamic content on that dir, as well as static. I know that apache will trigger the auth popup before loading any resources so the question is how to make apache aware that the user is already authenticated. Any other suggestion / workaround?
推荐答案
您可以使用 SetEnvIf 变量在.htaccess文件中检查是否设置了某个Cookie值。例如(这不是很安全,但是仅用于说明):
You can use the SetEnvIf variable in the .htaccess file to check if a certain Cookie value is set. For example (this isn't very secure, but just for illustration):
AuthType Basic
AuthName "Protected Login"
AuthUserFile "/path/to/.htpasswd"
AuthGroupFile "/dev/null"
SetEnvIf Cookie PHPSESSID=.* PASS=1
Order deny,allow
Deny from all
Allow from env=PASS
Require valid-user
Satisfy any
SetEnvIf Cookie PHPSESSID =。* PASS = 1 行检查是否设置了带有PHP会话ID的Cookie,如果足够,则足以满足的身份验证过程和 env = PASS允许允许,如果为true,则跳过登录提示。
The line SetEnvIf Cookie PHPSESSID=.* PASS=1 checks if a Cookie is set with a PHP session id and if so, that is enough to Satisfy the authentication process and the Allow from env=PASS makes it skip the login prompt if this is true.
同样,此示例也不是很安全,因为在未成功调用 session_start()时已经设置了PHP会话cookie身份验证尝试,因此最好设置一个难以猜测的更隐秘/随机的cookie值。例如:
Again, this example is not very safe as a PHP session cookie is already set when session_start() is called without a succesful authentication attempt, so it would be better to set a more cryptical/random cookie value that's hard to guess. For example:
SetEnvIf Cookie AJNC3Z921dmc4O8P2 PASS=1
这样,如果通过PHP成功进行身份验证后,将Cookie值设置为 AJNC3Z921dmc4O8P2 ,则足以通过身份验证处理。请确保设置适当的Cookie过期时间,以免人们长时间无法通过登录提示。
That way, if you set a cookie value of AJNC3Z921dmc4O8P2 upon succesful authentication through PHP, this will be enough to pass the authentication process. Make sure to set a proper cookie expiration time though to avoid people from being able to pass the login prompt for a prolonged period.
这篇关于PHP和.htaccess身份验证解决方案的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
