PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Nov 22, 2014 3:38 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Force HTTP_AUTH?
PostPosted: Fri Jan 20, 2012 10:01 am 
Offline
Forum Newbie

Joined: Fri Nov 18, 2011 12:01 am
Posts: 4
I have this application which has three directories:

/ajax/
/ckeditor/
/upload/

Which all have security holes. I can .htaccess these folders no problem.

However, when a user logs into my application and tries to use any of these functions in said directories the application prompts for user/pass.

1. I know I can force the user/pass like so: <form action="http://user:pass@domain.com/cp/upload/php/index.php" method="POST">, but of course this exposes the username and password.

So, what I'm wondering: is it possible when my users log in to my application I can somehow log the users into the password protected directories too? Possibly using $_SERVER and $_SESSION vars? It just seems so much more "user friendly" to have them only log in once instead of prompting for a pw all the time.

Otherwise, I believe my application to be pretty secure.


Top
 Profile  
 
 Post subject: Re: Force HTTP_AUTH?
PostPosted: Sat Jan 21, 2012 8:15 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
1. You should add authorization checks to your asynchronously accessed PHP code just like in any other PHP code you expose. There's no need to use a different authentication mechanism than the one you already use for your 'main' site anyway.
2. Depending on what your "security holes" in these directories are, this might not help entirely - you need protection against malicious authenticated users as much as you need protection against 'anonymous' ones


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group