How to achieve mixed authentication/anonymous access
am 14.04.2010 18:01:35 von dirk.thomasHi,
i have a problem with Authentification.
I currently doubt that it is possible at all.
Perhaps someone can enlighten me how to achive the goal or confirm that it is not reachable.
The scenario is to achieve a mixed authentication/anonymous access similar as described for Subversion (see http://svnbook.red-bean.com/nightly/de/svn-book.html#svn.ser verconfig.httpd.authz.perdir.ex-3).
Therefore the ".htaccess" looks something like that:
Order allow,deny
Allow from all
AuthType Basic
AuthName "Realm"
AuthUserFile "/some/path/.htusers"
require valid-user
Satisfy any
Additionally a PHP script is inside the same folder.
When you now browse to the URL of the PHP script, you can access it without any credentials requested.
At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?access-secret=1").
Therefore it sends the following two headers:
WWW-Authenticate: Basic realm="Realm"
HTTP/1.x 401 Unauthorized
Then you are asked to insert your username/password for the basic auth.
But now comes the problem:
How can the PHP script determine if you have provided valid credentials?
The server variables PHP_AUTH_USER and PHP_AUTH_PW are populated independent of the result of the authentification defined in Apache.
I do explicitly not want to check the credentials in PHP - think of the many different auth-methods which could be configured with Apache.
Nor can the anonymous and authenticated parts be split in separate folders.
Is this goal even possible or is the only way to not allow anonymous access (but for replacement a dummy user like "guest" with no password) or implement the auth in PHP?
Any feedback is highly appreciated.
Thank you
Dirk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php