I am running apache2 and php5 in my Windows PC.
I have protected my directory using .htaccess
and.htpasswd
. If login information is not set, or if the username-password combination is not correct, the browser will prompt for a username and password box by default, if user tries to access protected dir.
But I开发者_C百科 want to redirect the user to a specific address or url. In short, I want to redirect user instead of displaying the HTTP basic authentication dialog. How can I make this possible?
Answer explanation :
You need to implement a custom authentication, natively you can not redirect on authentication fail.
Solution :
A custom ErrorDocument implementation using an HTML meta tag to make the redirection possible on authentication fail and let the user access the protected area on authentication success (The server will always cast out a 401 on first load before entering the user and password because the browser is not expecting such authentication in the first place and get refused the access)
AuthUserFile /path/to/users
AuthName "Access Denied"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/failed.html\"></html>"
Alternative I :
Since Apache 2.4. you can use mod_auth_form
with htaccess to make an advanced authentication and use a more reliable solution
http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html
Alternative II :
Use a php to handle 401 ErrorDocument 401 /handle.php
http://php.net/manual/en/features.http-auth.php
Extended Security :
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/kickout.php\"></html>"
ErrorDocument 400 /kickout.php
ErrorDocument 403 /kickout.php
ErrorDocument 500 /kickout.php
Deny from all
Allow from 192.200.x.x
Allow from 192.200.x.x
Allow from 127.0.0.1
Allow from localhost
I got this to work with an approach similar to AJ's. My .htaccess
file is very similar to the following:
AuthUserFile /opt/www/htaccess
AuthType Basic
DirectoryIndex public.txt
<Files "secret.txt">
require valid-user
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</Files>
<Files "public.txt">
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</Files>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP:Authorization} !=""
RewriteRule ^$ secret.txt [L]
With this, the site behaves as follows:
1) Access the base URL -> see content from public.txt. 2) Access /secret.txt -> prompted to authenticate, and shown the contents of secret.txt. 3) Access the base URL again -> see content from secret.txt.
Using [L,R]
instead of [L]
will use a 302 response to handle the redirection. This is a good option if you want the redirection to be visible in the browser's location field.
<aside>Yes, I realize that this is a very late answer. The question was high in the Google search results, though, so I wanted to detail my approach in case I find myself doing the same search in the future. If anyone else benefits, it's even better.</aside>
Revised answer...I believe you can do this with mod_rewrite. Here is an example I found:
# turn on rewrite engine
RewriteEngine on
# if authorization header is empty (non-authenticated client)
RewriteCond %{HTTP:Authorization} ^$
# redirect to new url
RewriteRule /current/path /new/path
Caveat emptor...I'm not able to test this at the moment. Give it a try though, put this in your .htaccess and change the paths to suit your environment.
You can use http authentication in PHP in addition to Apache (via .htaccess). This might give you more control.
From the manual:
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
// do the redirect here?
}
I had the same question and although this is an old thread, I ended up simply using the 401 error document to display a particular page if authentication failed...
ErrorDocument 401 /not-logged-in.php
This seemed to do the trick for me in a simple way.
精彩评论