Background
I'm looking for a transparent, PHP-driven authentication layer for a web site.
I'm aware of the following simple approaches:
HTTP Authentication
Mechanics:
- Apache controls access rights;
- Attempts to access any file in a given directory transparently require HTTP auth if not already authed.
Downsides:
- Limited configuration options;
- Difficult to integrate with existing user database;
- No control over visual presentation of login prompt.
PHP-based login
Mechanic开发者_如何学Gos:
- PHP controls access rights;
- Attempts to access any file explicitly built for the system if not already authed will result in redirection to a login page.
Downsides:
- If I forget to write the required
include "login_required.inc.php";
or similar at the top of any PHP file, that file will be accessible by anybody.
What I want
I'd like to implement the PHP-based login solution, but to somehow configure Apache to invoke login_required.inc.php
(or similar) transparently as an intermediate step when any PHP file is requested.
This script will:
- run;
- check session variables;
- tell Apache either "yes, produce the requested page" or "no, redirect to the login page";
- not require code to be inserted at the top of every PHP script that requires authentication.
Is this a pipe dream? Or can I do it? And if so, how?
If you rewrite all php requests through index.php, index.php/php would then control access to anything.
RewriteRule ^(.*)$ /index.php?pageid=$1 [QSA,L]
Something like that will push any request to index.php, in which you can do your authentication and then it will farm out the content...
The QSA in this will retain any query string parameters etc.
I think you should restructure you website to use a Front Controller. There's a reason that pretty much every framework uses the FrontController pattern: single point of access makes your app simpler.
One possibility is to use .htaccess
ModRewrite
to redirect all requests to, say, login_required.php?redirect=<ORIGINALLY-REQUESTED-SCRIPT>
.
login_required.php
can then perform its magic and do one of the following:
- Present a login form
include
<ORIGINALLY-REQUESTED-SCRIPT>
.- Note that a
header("Location: <ORIGINALLY-REQUESTED-SCRIPT>)";
will, I believe, merely fall foul of the.htaccess
again and cause an infinite redirect loop! Setting the.htaccess
ModRewrite
directive to only conditionally redirect based on the value ofHTTP_REFERER
is not secure enough.
- Note that a
This is not the preferred solution, but it's a possibility...
Another possibility:
Have only a single entry-point. Just one file that's accessible from the outside world, like index.php?target=<REQUESTED-SCRIPT>
. This one file can contain the authentication logic and include
the required script.
All other files would be blocked from external access by .htaccess
, or simple file permissions.
This is a good solution, but it would be a large change to update all URLs throughout the existing system.
Edit Apparently this is called the "Front Controller" pattern.
精彩评论