by "using HTML" I meant, typing the address in to the broswer as http://username:[EMAIL PROTECTED]/protected/file.pdf or as using the HTML: <a href="http://username:[EMAIL PROTECTED]/protected/file.pdf">Link...</a> or using the header: header("Location: http://username:[EMAIL PROTECTED]/protected/file.pdf");
>also, there is no problem retrieving a pdf after passing http basic authentication (I just double checked this on a client's site and was appropriately prompted with a pdf handling dialog box after I authenticated).
Of course there is not problem if the user is entering the information him or her self. But just using this code:
$file = 'http://miningstocks.com/protected/Dec03PostPress.pdf';
//now view the PDF file
header("Content-Type: application/pdf");
header("Accept-Ranges: bytes");
header("Content-Length: ".filesize($file));
readfile($file);
from a PHP page where no authentication has occured does not work at all.
Let me say, if this is not clear, that I do not want unique usernames and passwords for users. I want one username and password that WILL NEVER BE SEEN by the user.
The way that I had planned was to keep ONE username and password which would allow access to all the files in a MySql database. After the user entered his name and email address, the username and password would be fetched off the database, and then authentication would occur with this username and password and the user would be served the file. The authentication would be completely transparent to the user. But the different ways to authenticate transparent to the user either do not work or reveal the username and password (making it pointless to even protect the files in the first place).
Best Regards,
Scott Taylor
[EMAIL PROTECTED] wrote:
there are a couple of different ways to do this.
the "http basic" approach will work just fine. with http basic the id/pw are passed in the headers in an encoded string, so i'm not certain about your:
if using HTML, the username & password is easily seen
statement.
also, there is no problem retrieving a pdf after passing http basic authentication (I just double checked this on a client's site and was appropriately prompted with a pdf handling dialog box after I authenticated).
now, http basic assumes that the id/pw are in a file/database/etc. the password is generally encrypted (des or md5) but can be in clear text. so, for this to work, you'd probably need some type of registration page that will store the id/pw info that the apache server will query against. [i strongly recommend using a database, not a file, due to file locking issues.]
other approaches to this general issue include a URL mapping scheme. e.g., the public URL would drive the user through a one-time email/name collection process. when the user passes that they are served the document from the actual storage location. they can be done in a way that the true document URL is never shown. obviously you'd have to do this in a way that would give the fake URL as a .pdf so that the client will handle things correctly.
---------- Original Message ----------
From: Scott Taylor <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Tuesday, January 20, 2004 03:17:21 PM -0500 Subject: [PHP] authentication problems!
I am about at my wits end trying to find a good solution to this problem. I've asked various portions of this question to this mail list and still have not found exactly what it is I am looking for, but here it goes.
I'm looking for a way to protect my files (this would be pdf files, image files, etc...other things then text/php files) so that for someone to see a current file they will have to enter in their email address and name. Seems fairly simple, and yet I can not figure out how to do it. I've been told of the following alternatives:
Protect the files with HTTP auth (basic, or use SSL if very paranoid), then, after entering the info into a database:
1. just link to http://username:[EMAIL PROTECTED]/protect/file.pdf (either directly using html, or use headers). The problem: if using HTML, the username & password is easily seen. If using headers, this does not work (it is not seen as a PDF file) - my best guess is that the auth headers get passed along and so it does not work. Of course, I can load a PDF using headers if the file is not in a protected directory without any problems at all. But then again it wouldn't be protected to begin with.
1.b. It was later suggested that I could link to http://username:[EMAIL PROTECTED]/protect/file.pdf and use an apache rewrite statement to change every protected file to exclude the username & password. But I've posted to an apache group and they have said that this CAN NOT be done.
2. link to something outside of my httpdocs directory. Unfortunately, I am on a shared server and do not have a private folder (or at least my _private directory which is contained with httpdocs will not work - I get the same problem that I do with authentication - it does not recognize the file as a PDF at all).
3. use a prebuilt class (such as snoopy or Emanuel Lemos). This looks as though it is the only option available to me at this time, but It doesn't look as though it as a good one as it will add a lot of code to something that seems as though it should be VERY simple, and it means that I will have to go through the documentation to use this.
If anyone has any ideas it will be much appreciated.
Scott Taylor
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
---------- End Original Message ----------
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
