Old:Basic authentication and redirection
Power of htaccess and mod rewrite - 3.5-Apollo |
This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder .
Private page
Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.
You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.
This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.
- I have created a folder named secure in the root folder www.
- Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
- This folder also contains an index.html page which states something like “you need to login” its a default should the login fail.
- My main index page in the root folder www contains the following link:
<a href="secure/index.html">Secure login</a>
When clicked takes me to the protected folder. - Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g
John:21 Dave Smith:22 Mike:23
Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).
Note: You can use spaces in the name.
- Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:
AuthUserFile /htpasswd/www/.htpasswd Require valid-user Options +FollowSymLinks #Options +Indexes RewriteEngine On RewriteBase / RewriteCond $1 !^John\.html RewriteCond %{REMOTE_user} ^John$ RewriteRule (.*) /secure/John.html [R,L] RewriteCond $1 !^Dave\.html RewriteCond %{REMOTE_user} ^Dave\ Smith$ RewriteRule (.*) /secure/Dave.html [R,L] RewriteCond $1 !^Mike\.html RewriteCond %{REMOTE_user} ^Mike$ RewriteRule (.*) /secure/Mike.html [R,L]
- Each page to be protected requires three lines:
- After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
- The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
- Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
- If for whatever reason no match is found it drops out of this and picks up the index page.
Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)
Note 2: You will need to restart your browser to re-login.
I stress the need for encryption because when using http, name/password is sent in plain text.
Private folder
This page is a DRAFT hence locked.
If I have time will be complete by the weekend!!!
xxxxxxxxxxxxxx
Ric