0

I have a directory with files that have to be protected. Protection is made by standard HTTP Basic Authentication (.htaccess, .htpasswd etc). With code below i can get content of protected page, but nothing else ("session / login" expires at once). I need to access that page and download files. How to login to protected area and stay on that page using php (or javascript/ajax) ?

<?php 
// HTTP authentication 
$url = "http://localhost/protected_files/"; 
$ch = curl_init();     
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_USERPWD, "login:password");  
$result = curl_exec($ch);  
curl_close($ch);  
echo $result; 
?>

The same using jQuery ajax:

var username = $("input#username").val();
var password = $("input#password").val();  

function make_base_auth(user, password) {
  var hash = btoa(user + ':' + password);
  return "Basic " + hash;
}

$.ajax
  ({
    type: "GET",
    url: "http://localhost/protected_files/",
    headers: {
       'Authorization' : make_base_auth(username, password)
    },
    success: function (data){
      $('body').html(data);
    }
});
Improve this question
1
  • What's the web server? If it's Apache, is it configured to handle sessions by means of cookies or PHPSESSID params? Commented Jan 10, 2013 at 14:13

1 Answer 1

Reset to default
4

Your PHP script uses CURL to read a file that is located in a directory protected by HTTP Basic Authentication and echo it to the screen. If your PHP is located in your web root, and your protected directory is in a subdirectory called "protected", the user's browser is never actually re-directed into the protected directory. The user's browser stays in the web root.

Moreover, the user's browser has never authenticated. Only your web server has authenticated via your PHP script. Think of it like this, your web server acted as a human and used a PHP based web-browser of sorts to authenticate. The person sitting at their computer at home never authenticated their web browser. Apache authenticated, read the contents of that file, and passed it along to the end user as sort of a proxy.

After the initial script loads a page. Any anchors tags with href attributes pointing to files located within the "protected" folder will bring up that popup asking the user to authenticate. You are mistaking this as an expired session. This is happening because the server hosting the PHP script (not the end user's computer) is authenticated in your PHP script. The end user's computer has yet to authenticate even once. After they enter their credentials, they should be good for the rest of the session.

What you are asking is impossible. The user will always be prompted for a username and password whenever they click on a link. Why not just have them log in? If the files need to be password protected, why are you circumventing the protection. You may need to rethink your approach.

Broken down further: This is your PHP script.

  • End User: hey, I just surfed to you
  • Apache: great, let me run this php script that grabs files from a protected directory
  • PHP: Ok. Let me fetch the file. Hey, Apache, I've been instructed to grab the file using httpd basic auth from a folder on you!
  • Apache: Weird! ok. What's the login and password. I can't give you the file unless you have that info.
  • PHP: I have that info hard coded in me. Here you go.
  • Apache: Thanks! Here's that file.
  • PHP: Great. Thanks for the file! Now, can you give it back to the end user. Here you go. Right back at ya.
  • Apache: Thanks! I have that file. Here you go end user.
  • End User: Wow, I can see the file! Thanks Apache and PHP!

Now, the end user clicks on a link to download a file

  • End user: Hey I want to download that file now.
  • Apache: Okay, what's the login and password.
  • End user: HEY! I don't need that. Didn't I just give that to you?
  • Apache: Nope. PHP got that file for you and told me to give you a copy. You've actually never gotten passed my gate. So what's the password!
  • End user: Let me ask Mrbinky3000 on stack overflow what the deal is.

Here is the conversation your JavaScript example would have.

  • End user: Hey, Mr. Browser, go to this URL.
  • Mr. Browser: Hey Apache, can you fetch me the page at this URL.
  • Apache: Here you go, Mr. Browser. Enjoy the page.
  • Mr. Browser: Oh, I see there is some code here for Mr. Javascript.

End user types in username and password, clicks on submit button

  • Mr. Browser: Ok. Time to execute some javascript. Here you go, Mr. Javascript.
  • Mr. JavaScript: Hey, Apache! I've been told to fetch this page from a sub-folder and display it in Mr. Browser's body. Only thing is, that sub folder is protected with basic auth. So I need to give you these credentials.
  • Apache: Hey. What's up Mr. JavaScript. I see you want me to fetch this page from a protected directory. I'd like to do that, we're friends, but I need to ask you this: What's the login and password. Nothing personal, it's just my job.
  • Mr JavaScript: No problem Apache! I have the credentials. here you go.
  • Apache: great! I'll go over here and fetch that page for you. Here's that page. Have fun.
  • Mr. JavaScript: Thanks for fetching that file for me, Apache. Hey, Mr. Browser, I need to swap out your body contents with the file that Apache just gave me.
  • Mr. Browser: Sure, no problem. Let me take that from you. And here we are, that page you fetched is now my body.
  • End User: Wow, I can now see that protected page, thanks Mr. Browser. Time to click on a link.

End user clicks on a link.

  • Mr. Browser: Hey Apache, my user just clicked on a link and now I need fetch a file in that protected directory.
  • Apache: Hey there buddy, not so fast! What's the login and password?
  • Mr. Browser: Uh, I don't know. Do I need to tell you that? Didn't Mr. JavaScript JUST give you that information?
  • Apache: Yes, Mr. JavaScript DID give me that. But you are not Mr. Javascript. You are Mr. Browser. Since you are trying to get past my security, and not Mr. Javascript, I need to ask you the same question I asked Mr. JavaScript. What are the Credentials, please. Don't take it personally, it's my job.
  • Mr. Browser: Uh, don't know the answer. I better ask the End user. Hey, End User. What's the login and password?
  • End User: What's up Mr. Browser!!! Weren't we JUST THERE a second ago? Why do you need that info again? Hmmm. Better ask MrBinky what's up.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

There ya go. Added a JavaScript explanation.
Thank You for the thorough explanation, i laughed head off ;)))

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.