0

I have set up a basic username and password authentication for regular users

i want only one ip access with a one username and password

for example user one connect with test and test if user one still connect to server with basic authentication , and user 2 request to access to server with same username and password , user 2 can't access to server until user 1 disconnect from server.

Ali Akbar Azizi
  • 3,272
  • 3
  • 25
  • 44
  • When would you consider user one's session being over? – chelmertz Mar 27 '13 at 23:06
  • i don't understand your mean , when y user disconnect from server ( for example when finished download file ) – Ali Akbar Azizi Mar 27 '13 at 23:09
  • take a look at [this question](http://stackoverflow.com/questions/3164507/allow-one-session-only-at-a-time), maybe it'll give you some hints. Afterall you'll see that the only way to achieve it is to replace `.htaccess` with a locking mechanism. – ducin Mar 27 '13 at 23:13

1 Answers1

2

This is impossible with HTTP basic authentication because HTTP does not have active connections that last longer than the time all data for a single page or image is transfered. If all data is transfered, the connection is terminated. Should this be the right time to let the second user in? If so, limit your apache to accept only one connection at a time (i.e. allow only one child process), and you are done.

If you want this more like I think you want it, you have to implement it yourself inside your application with sessions, and have to deal with the fact that users do no usually log themself out of the application, but simply close the browser. So after a certain time has passed, the first user must be considered inactive and his session terminated to let the second user in.

And by the way: Remember that HTTP basic authentication has no way to "logout" implemented! All solutions that simulate this really only send another authentication challenge to the browser, which makes it forget about the login and asking the user for credentials again. This cannot be implemented with .htaccess.

Sven
  • 69,403
  • 10
  • 107
  • 109
  • if i limit my apache , only one user can access at same time , i want each user can access and their session lock to their ip , so another can't access with same user and pass and diffrent ip, for example , user 1 download b big file with 1 connection , user 2 with same user pass can't access to the server until the download finish . any idea how to make it ? – Ali Akbar Azizi Mar 27 '13 at 23:13
  • Yes, and it is impossible with .htaccess - implement it in your software. – Sven Mar 27 '13 at 23:14
  • you say , i redirect all connection to the php page , and check user , if user can access , send file for download ? is it possible? – Ali Akbar Azizi Mar 27 '13 at 23:16
  • No. Usually you check access permission on EVERY page, because otherwise one would be able to circumvent it. Please google for a tutorial on how to set up a mechanism that uses PHP sessions for a website login - explaining these basics is beyond the scope of comments to answers on stackoverflow. – Sven Mar 27 '13 at 23:19
  • how i check with file ? for example i have 1.zip in this folder , how i check to allow user download 1.zip ? – Ali Akbar Azizi Mar 27 '13 at 23:21
  • Have a download script that intercepts the access and either rejects with an error message or outputs the content. Do note that using PHP to send huge files might have resource issues (memory limits etc.). – Sven Mar 27 '13 at 23:26