authenticate / bypass .htaccess .htpasswd in PHP

Question

I've had a good look around here for articles relating to this and nothing I see seems to work. Let me start by explaining my situation.

I have a load of files and folders (directories) inside a .htpasswd/.htaccess protected folder. These are sat on a Windows Server running xamp apache.

On this server (and within this folder) I have a single .php page which pulls in database records & assets from with the folder & sub-folders. The assets are organised, but all over the place.

I have a linux server with a php file and I am trying to embed that single php file using iframe ideally (as its easy for format). Issue is it's still asking me to provide the credentials to login to the .htaccess site.

I tried to create a php file above the password protected directory to load the php file within using file_get_contents however that still asked me for the password.

I tried moving the file outside of the directory, but because all the assets are in the directory, it again asks for the login credentials...

WHAT DOES WORK

I tried editing the .htaccess to add my server IP however this didn't work as the iframe which loads it is a browser. Adding my device public IP works which is a nice proof of concept, so I am thinking is it possible to make something serverside load the content? rather than an iframe which renders & loads browser side

Alternatively, any workarounds I have missed?

Thanks

UPDATE 1

if i echo file_get_contents('local_file_path') I just get a screen of junk

$fixture) { # check if today $today = date("Y-m-d"); $fixturedate = $fixture['date']; if ($fixturedate == $today) { $this_fixture = ['title'=>$fixture['title'], 'hometeam'=>$fixture['hometeam'], 'homegoals'=>$fixture['hometeamgoals'], 'homecards'=>$fixture['hometeamcards'], 'awayteam'=>$fixture['awayteam'], 'awaygoals'=>$fixture['awayteamgoals'], 'awaycards'=>$fixture['awayteamcards'], 'progress'=>$fixture['progress']]; array_push($game_array, $this_fixture); } } } ?>
@ " . date("G:i") . ""; ?>
No fixtures today..."; } echo ''; include "../connection.php"; //Connect to Database # GET Logos $lsql = "SELECT `fixture_list`.*,`logos`.* FROM `fixture_list` JOIN 

if I do a require 'local_file_path' it's better but none of the file paths match up as they're all relative in the original document

Answer 1

I have a few Ideas you can try:

Option1

AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from 127.0.0.1
satisfy any

I've never personally tried this, so you may have to use the servers outbound IP (maybe). The idea is to allow access from a specific IP, localhost, without the login.

Option2

You could include the file by path (not url),

if I do a require 'local_file_path' it's better but none of the file paths match up as they're all relative in the original document

It's possible to set the working directory of PHP using chdir() .

http://php.net/manual/en/function.chdir.php

bool chdir ( string $directory ) Changes PHP's current directory to directory.

set_include_path() may also be an option.

Option3

You could use cURL and login, the example I found is by command line but it might also work using PHP's Curl.

$output = shell_exec('curl -A "Mozilla" -L "http://user:password@domain.com/api/someapi.php"');

This may also work with file_get_contents, by adding the password and user to the url, however it will probably be recorded in the server access logs, which may or may not matter to you.

It's always preferable to access files on your own server by path, it's much faster then doing a network request. And less visible log wise.

I'm sure there are a few other tricks.