0

Hi,

is it possible to share informations between a PHP-Script and .htaccess? I was experimenting with $_ENV, but did not get it to work.

What I want to do:

Creating a login system. For every html-request, .htaccess is calling (via reWrite rule) a php and passing as parameter the original url.The PHP is testing if the user is logged in. If not: Go to the login page, if yes: Allow accessing the requested URL. That I did with php "header($url)".

The problem: This always starts a loop, because the PHP script is, after the logged-test is successfull, requesting the original url, which as again handled in the .htaccess by calling the PHP-Script.

My idea: Is there a way to set a variable in PHP, which I can access in .htaccess-condition? And is that a secure way?

Update:

As asked for, here my code.

PHP:

session_start();
$sOriginUrl = $_GET["url"];

if(!$sOriginUrl){
    return false;
}

if($_SESSION["userName"]) {
    if($_SESSION["userName"] !== null){
    header("Location: " . $sOriginUrl, TRUE, 301);
}
else {
    $aTokenizedOriginalUrl = explode("/", $sOriginUrl);
    $sLoginUrl = "/";
    for($i=0, $il=count($aTokenizedOriginalUrl); $i<($il-1); $i++) {
        $sLoginUrl = $sLoginUrl . $aTokenizedOriginalUrl[$i] . "/";
    }
    header("Location: //myurl.de/" . $sLoginUrl);
}
}
else {
    $aTokenizedOriginalUrl = explode("/", $sOriginUrl);
    $sLoginUrl = "/";
    for($i=0, $il=count($aTokenizedOriginalUrl); $i<($il-1); $i++) {
        $sLoginUrl = $sLoginUrl . $aTokenizedOriginalUrl[$i] . "/";
    }
    $_ENV["HTTP_user_logged"]="true";
    header("Location: //myurl.de/" . $sLoginUrl);
}

.htaccess:

RewriteEngine on

# This prevents the rewrite engine from looping
RewriteCond %{ENV:HTTP_user_logged} true
#RewriteCond %{forced_responsecode} 301
RewriteRule ^ - [L]

#RewriteCond %{ENV:REDIRECT_STATUS} !=""
RewriteCond %{HTTP_REFERER} !^/myurl.de/basics/validate-user-login-for-url.php$
RewriteCond %{REQUEST_URI} !^(/.*)/$
RewriteCond %{REQUEST_URI} !^(/.*)/index.html$
RewriteRule ^(.*\.html)$ /myurl.de/basics/validate-user-login-for-url.php?url=%{REQUEST_URI}&ref=%{HTTP_REFERER} [L,QSA]

Thanks for any help!!

K.S.
  • 153
  • 1
  • 1
  • 10
  • 1
    Post your code. I would guess that it's a logical error in your PHP, and not an htaccess problem. You should never need to "share" between the two – Zac Brown Oct 16 '16 at 22:36

1 Answers1

1

I'm afraid what you are asking is not possible. PHP cannot share information with .htaccess because the latter is checked before PHP is executed, so the workflow is "req ->.htaccess -> php; req -> .htaccess -> php", but the only thing is preserved between requests is cookies, and no it's not secure to save the login state in the cookie, you need to use sessions, and PHP sessions are not available in .htaccess

So the solution I propose is that every file in your project which requires user to be authenticated includes a file "check_auth.php" at the beginning, then your check_auth.php can include() the login page and exit() if not logged in, or simply do nothing if the user is logged in (which means the originally invoked script continues its execution.

Hope this helps. Cheers

Johnny
  • 1,770
  • 12
  • 16
  • OK. Yes, your answer really helps, as I know, that my way to solve the problem makes no sense and I do not need to waste my time for that :) Thanks for proposing a solution!! Unfortunatly it is not working for me, as I need to check .html-files or something else, but never a .php-file where I just could includ the testing-php. Do you have any other idea or reference? Thanks ! – K.S. Oct 16 '16 at 22:51
  • I'm afraid I don't have much else, check [this](http://stackoverflow.com/questions/14066697/php-and-htaccess-authentication-solution) for a cookie-based solution like I mentioned but remember that **it is NOT SECURE** (as you cannot control access on a user-by-user basis). Maybe it's enough for you. – Johnny Oct 16 '16 at 22:58
  • Yeah, thanks, but it is really not save so I can not use it. – K.S. Oct 17 '16 at 07:45