1
Mithrandir
Access Control - .htaccess?

OK, quick question for the security experts:

I will have some quite normal HTML pages, which should be shown to only one user per page (I mean - every user should have his own personal HTML page).

The page is normal HTML because they are spreadsheets made by a very non-technical person, who will have to update them in Excel, save as HTML, upload to webserver (overwriting existing file) so the user will be able to access this page after login.

Is there a way I can make the HTML page available to a visitor only if he is logged in - and then only his own personal page?

I'm thinking that this is the kind of thing that .htaccess can do - but it must be dynamic in the way that users and HTML pages can be added and removed without editing the .htaccess file. So the access restriction procedure should be able to
a) See if a user is logged in
b) Give access only to that user's HTML page in a certain directory

My experience with .htaccess is below zero, so if anyone can point me in the right direction - if it is at all possible - I would be very grateful.

2
Mithrandir
Re: Access Control - .htaccess?

Looking a bit more into things.

Should I rather focus on SSI?
Is it possible to execute PHP code in SSI?

3
Dave_L
Re: Access Control - .htaccess?
  • 2004/2/3 22:16

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
Is there a way I can make the HTML page available to a visitor only if he is logged in - and then only his own personal page?


Do you mean logged into Xoops? Or is this separate from Xoops, with a user "logging in" for the sole purpose of viewing "his" page?

4
Mithrandir
Re: Access Control - .htaccess?

It is separate from XOOPS, but I've made the system as a very stripped down XOOPS as basis with very modified classes.

It is supposed to go like this:
The visitor views the site like a normal user.
Visitor click on login link, being brought to the login form.
Visitor inputs username and password and is brought to a page, where he can edit his user details and password as well as a page pops up with "his" personal HTML page.

Now, that is not the main problem. The main problem is making certain that noone can view the HTML file directly without being logged in as the user, whose HTML file it is (or if you have a better idea, please let me know )

Thanks for your help.

5
Mithrandir
Re: Access Control - .htaccess?

I'm just thinking out loud now:

Can I disallow opening any HTML page in a certain directory? And then make a normal php script, which checks for user authentication and if passed, reads the HTML page connected to that particular user?

I mean, I can't just include HTML files in PHP, right? I'd need to do some fread or something? I'm not that familiar with this thing and even then, I need to make sure that the HTML files are not possible to open directly - although the files will be complete HTML pages with and tags.

6
Dave_L
Re: Access Control - .htaccess?
  • 2004/2/3 22:40

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


My experience has been that integrating .htaccess password protection with a different login system, such as Xoops, is tough to do.

I don't know enough about SSI to be able to advise you on that.

Could you arrange to have the HTML files uploaded into a directory outside the web document root (or otherwise protected), so that they couldn't be accessed directly by a browser? Or store the pages in the MySQL database.

Then you could use PHP code to read/display the uploaded page belonging to the currently logged-in user.

7
Dave_L
Re: Access Control - .htaccess?
  • 2004/2/3 22:49

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


An .htaccess file containing simply
Deny from all
will deny access to all files in the directory.

I'm not sure about including entire HTML files. I'd have to experiment with that.

8
Mithrandir
Re: Access Control - .htaccess?

Looks like it is possible to just include an entire HTML file with a simple include ('filename.htm(l)'); statement.

Placing the HTML files off the web root is also working. Yeehaaw. Finally something seems to work for me

9
DonXoop
Re: Access Control - .htaccess?

Just a quick reply here. .htaccess can handle all manner of access control but any user login would be outside of XOOPS and require another login. Better idea is to first isolate the files in a directory (off root is good too) and .htaccess Deny All. This prevents a direct call from HTML. You can still include() those files and thus have user based control.

The scheme for picking the right file I think you've already designed. But yes you can include() an HTML file in PHP. I've forgotten the syntax but is akin to SSI include_virtual which allows it to parse.

10
Mithrandir
Re: Access Control - .htaccess?

(stylized)
$filename $user->getPage();
include (
'root/to/off-web/folder/".$filename.".htm');

works very well. Now I even figured out how to do a popup window with this and I actually think I am all set.

Thanks a bunch guys all your help has been awesome.

Login

Who's Online

375 user(s) are online (268 user(s) are browsing Support Forums)


Members: 0


Guests: 375


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits