简体繁体 English

通过php脚本进行.htaccess身份验证，以防止浏览器对话框

[英].htaccess authentication from a php script to prevent a browser dialog box

原文 2010-04-22 21:35:15 5 3 php/ authentication/ .htaccess/ dialog

Using php I authenticate a user, then behind the scenes,they are then again authenticated a second time with a single .htaccess username & password. 使用php我对用户进行身份验证，然后在后台进行身份验证，然后再次使用单个.htaccess用户名和密码进行第二次身份验证。 This would be the same for all users, but I would not want them to have to enter a username and password again and they would now be allowed to enter the password protected directory. 对于所有用户来说都是一样的，但是我不希望他们再次输入用户名和密码，现在允许他们输入受密码保护的目录。 I prefer not to use http://username@password:somedomain.com . 我不想使用http：// username @ password：somedomain.com 。

Any thoughts? 有什么想法吗？

3 个解决方案

If you want to avoid multiple logins but need HTTP authentication, you can use only HTTP authentication for the actual login. 如果要避免多次登录但需要HTTP身份验证，则只能将 HTTP身份验证用于实际登录。 This is because PHP can issue and respond to such headers. 这是因为PHP可以发出并响应此类标头。

http://php.net/manual/en/features.http-auth.php http://php.net/manual/en/features.http-auth.php

This way the user receives a pop up, PHP can read it and respond accordingly and the browser will pass it with subsequent requests eliminating further prompts. 这样，用户会收到一个弹出窗口，PHP可以读取它并做出相应的响应，浏览器将通过随后的请求将其传递，从而消除了进一步的提示。

Note: This solution is not available to CGI versions of PHP. 注意：此解决方案不适用于PHP的CGI版本。

You should not do this. 您不应该这样做。

Either: 或者：

Add code to your .htaccess protected directory to use your PHP authentication scheme and remove the .htaccess authentication. 将代码添加到受.htaccess保护的目录中，以使用您的PHP身份验证方案并删除.htaccess身份验证。
Write a new PHP page/script through which your authenticated users will access all of the protected content. 编写一个新的PHP页面/脚本，通过身份验证的用户将通过该页面/脚本访问所有受保护的内容。 Move the protected content out of the web root, or use your .htaccess file to deny all access. 将受保护的内容移出Web根目录，或使用.htaccess文件拒绝所有访问。 Your script will be able to access the files, but users will have to go through the script to access them. 您的脚本将能够访问文件，但是用户将必须通过脚本来访问它们。

Sorry, I do not believe this is possible (unless you want to use the username:pass@url scheme). 抱歉，我不认为这是可能的（除非您想使用username：pass @ url方案）。 You could write some ajax to do it behind the scenes, which would mean that the browser will remember the auth for that area (maybe, I have never actually tried it). 您可以编写一些ajax在后台进行操作，这意味着浏览器会记住该区域的身份验证（也许，我从未真正尝试过）。 But you would still need the username/pass regardless. 但是无论如何，您仍然需要用户名/密码。

For the security of not transmitting the password in clear text on the browser (I assume you are using https to transmit the password over the network, or if your not you should!) I think it will be a little annoying for the user, but not a huge amount of hassle in my opinion. 为了确保在浏览器中不以明文形式传输密码（我假设您正在使用https通过网络传输密码，或者如果不是，则应该这样做！）的安全性，我认为这会使用户有些烦恼，但是我认为这不是很大的麻烦。

Of course you could do the authenticating on that other folder in PHP, which would solve the issue, or put all your protected code in the one place with the one HTTP auth, but I assume you dont want (or cant) do this. 当然，您可以在PHP的该其他文件夹上进行身份验证，这将解决此问题，或者通过一个HTTP身份验证将所有受保护的代码放在一个位置，但是我假设您不希望这样做（或不能这样做）。