Re: [PHP] Reading from the htpasswd file

On Fri, February 2, 2007 8:17 am, Ryan A wrote:
I have a pal who uses a htpasswd file for access to his site..

rather than using basic_auth he wants to change it to form based
_without_ a DB (ie user comes to his site and enters the username and
password into a form, then submits it to the php script, the php
script reads the htpasswd file and accordingly grants access or denies
access if the login does not match)

Am not so sure about this but before i can make an arguement against
this, I should know something myself so my questions to you more
knowledgeable guys are:
1. Is it such a good idea switching?

If he thinks the Basic Auth popup is "icky" then go ahead and get rid
of it. No biggie.

There's no great advantage to Basic Auth, and, actually, having the
authentication done in PHP can be beneficial if you want to start
doing some custom logging and user profile modeling of logins.

It's certainly possible to get access to that, or to integrate that
after the HTTP Basic Auth has been done, but it can be "cleaner" code
to have it all as one conceptual mess in PHP, instead of a mess in
HTTP Auth Apache and another in PHP.

2.Wont the basic_auth pop up anyway even after entering these values
into the form?

Not unless you send the headers out, either with PHP, or with
..htaccess (or httpd.conf) settings to do HTTP Basic Authentication

3. If having a hundreds (or even thousands) of user:pass combinations
in the htpasswd file.... wont it make logging in longer and more
processor intensive to search all of the combinations till you find
(or not find) the login?

Not really.
$file = file_get_contents('/full/path/to/htpasswd');
preg_match_all('/(.*):(.*)$/msU', $file, $htpassd);
//play games with array_flip or array_slice here to get
//an associative array of $users['username'] = 'password';
//Your login check is then a simple array reference

Did some small code experiments before coming here asking for
advise...
can send you the code I have written if need be...but what i have
found out is with small amounts of data i see no difference in speed
of loggin in using the htpasswd file as the "login database"..

Whether reading the file or the DB is faster depends totally and your
hardware and network topology between web server and db server, or
lack thereof.

Nothing anybody else can say on this matter has any real meaning.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: [PHP] Reading from the htpasswd file
    ... password into a form, then submits it to the php script, the php ... access if the login does not match) ... If he thinks the Basic Auth popup is "icky" then go ahead and get rid ... doing some custom logging and user profile modeling of logins. ...
    (php.general)
  • Re: PHP - D3 subroutine calls?
    ... MVWWW does the login once and then makes the connection available for ... don't think any of the MV vendors have adequately minimized the pain ... your PHP call. ...
    (comp.databases.pick)
  • Re: To allow access only from the designated site.
    ... I want to allow access to it only from site "B" login user. ... what capabilities do both servers have, do they have php, does only ... one, which one, does one/both have a database, session support? ... and to a script on siteB, and uses RSA for the form, with B's public ...
    (comp.lang.php)
  • RE: [PHP] why?
    ... It doesn't work together with Windows ... PHP) you mean? ... access to the initial login values ... What we shoot for is Single Source Authentication. ...
    (php.general)
  • Re: What is wrong in my source-code?
    ... This is my login code in PHP: ... Users on my locale server have to login to see my pages. ... username and password are stored in the database. ... MySQL is perfectly happy with performing more than one query in a single call. ...
    (comp.lang.php)