[nycphp-talk] Single-Logon User Authentication, PHP and viewing non-ASCII
soazine at erols.com
Mon Aug 18 15:04:00 EDT 2003
This challenge is beyond me, as it seems to be the case.
I am having to set up a user-authentication script that is basic logon/registration process. mySQL db captures username, password, and other important fields such as their payment category and isAdmin (if they are an admin on the site). Once stored they will be able to login once payment category is '4' (which means 'PAID').
Upon being able to login, one of the features any user, admin or not, can do is to view restricted files in the /web/contents folder. They can view the list or click onto a link and view the file itself (assuming it's a url-friendly file like .txt or .doc or .pdf or something).
Here's where I am totally stuck.
The /web/contents folder must be locked down so that the outside world cannot view it; only authenticated users must view it. Problem is, by doing that I force a double-login since that would involve using .htaccess on the folder. (Note, I was told mySQL has a means of interfacing with .htacesss, however, that too would fail because the requirements for login involve username, password, isAdmin and payment_category all being set to certain values).
I thought of locking down the folder to 700 and each script uploaded to 600 (using TCL CGI instead of PHP to do the actual uploading), however, how would I be able to allow for users to VIEW non-ASCII files (like .doc or .pdf)?
Has anyone faced anything like that, if so, please let me know.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk