How to send kind of persistent "Authorization" headers with PHP

Question

I don't know if it's possible, but if I don't ask I'll never know :)

I have the exact problem discuted in this topic. That's: I have some static files in some folders and I want only some users to see that content. That users are coming from a previous login.

Some possible solutions are discussed in that topic, but I have thought another possible solution. If I could send with PHP the Authorization HTTP Header, which contains the username and password of the user, and keep it persitent in subsequents requests (as I think it happens with the apache authentication). I would send that headers during my previous login, and then when the user would try to access to its directory, an .htaccess would check if he is a valid user.

I have tried to send the Authorization header with PHP with:

header('Authorization: Basic '.base64_encode($USERNAME.':'.$PASSWORD).PHP_EOL);

But they are only present for one request.

In .htaccess, I have checked that it's not possible to have an unique `Require user USERNAME', so I think it would be necessary to create an htpasswd file storing the same credentials than the ones the login process use, and then create an usual authentication configuration (basic or digest):

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /path/to/htpasswd/file
Require user USERNAME

Thank you in advance

http://php.net/manual/en/features.http-auth.php – hakre Sep 26 '11 at 18:54 — hakre, Sep 26 '11 at 18:54
I read it, but I didn't found the answer there – Waiting for Dev... Sep 26 '11 at 19:38 — Waiting for Dev..., Sep 26 '11 at 19:38

score 1 · Accepted Answer · answered Sep 30 '11 at 11:43

You could have an Basic or Digest HTTP authentification handled by Apache, with a simple "require valid user". No apache can implement a lot of mod_auth variations, check for mod_auth* in this page. So you can tell apache to authenticate on your database, or even to perform authentification with a custom code that you provide with mod_authnz_external.

External script support is good as you could implement a session authentification with a cache level (to prevent redoing the whole authentification for each requested resource), which is what basically happen with the default cookie based session (first authenticate, then just transfer the PHPSESSID, so we'll check the session exists).

score 0 · Answer 2 · answered Sep 26 '11 at 18:54

0

I have thought another possible solution. If I could send with PHP the Authorization HTTP Header,

You couldn't

answered Sep 26 '11 at 18:54

Your Common Sense

156,878
40
214
345

How to send kind of persistent "Authorization" headers with PHP

2 Answers2