开发者

How to redirect to specific page if not logged in with .htaccess

I am running apache2 and php5 in my Windows PC.

I have protected my directory using .htaccess and.htpasswd. If login information is not set, or if the username-password combination is not correct, the browser will prompt for a username and password box by default, if user tries to access protected dir.

But I开发者_C百科 want to redirect the user to a specific address or url. In short, I want to redirect user instead of displaying the HTTP basic authentication dialog. How can I make this possible?


Answer explanation :

You need to implement a custom authentication, natively you can not redirect on authentication fail.

Solution :

A custom ErrorDocument implementation using an HTML meta tag to make the redirection possible on authentication fail and let the user access the protected area on authentication success (The server will always cast out a 401 on first load before entering the user and password because the browser is not expecting such authentication in the first place and get refused the access)

    AuthUserFile /path/to/users
    AuthName "Access Denied"
    AuthGroupFile /dev/null
    AuthType Basic
    Require valid-user

    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/failed.html\"></html>"

Alternative I :

Since Apache 2.4. you can use mod_auth_form with htaccess to make an advanced authentication and use a more reliable solution

http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html

Alternative II :

Use a php to handle 401 ErrorDocument 401 /handle.php

http://php.net/manual/en/features.http-auth.php

Extended Security :

    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/kickout.php\"></html>"
    ErrorDocument 400 /kickout.php
    ErrorDocument 403 /kickout.php
    ErrorDocument 500 /kickout.php
    Deny from all
    Allow from 192.200.x.x
    Allow from 192.200.x.x
    Allow from 127.0.0.1
    Allow from localhost


I got this to work with an approach similar to AJ's. My .htaccess file is very similar to the following:

AuthUserFile /opt/www/htaccess
AuthType Basic

DirectoryIndex public.txt

<Files "secret.txt">
    require valid-user
    FileETag None
    Header unset ETag
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</Files>

<Files "public.txt">
    FileETag None
    Header unset ETag
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</Files>

RewriteEngine On
RewriteBase /

RewriteCond %{HTTP:Authorization} !=""
RewriteRule ^$ secret.txt [L]

With this, the site behaves as follows:

1) Access the base URL -> see content from public.txt. 2) Access /secret.txt -> prompted to authenticate, and shown the contents of secret.txt. 3) Access the base URL again -> see content from secret.txt.

Using [L,R] instead of [L] will use a 302 response to handle the redirection. This is a good option if you want the redirection to be visible in the browser's location field.

<aside>Yes, I realize that this is a very late answer. The question was high in the Google search results, though, so I wanted to detail my approach in case I find myself doing the same search in the future. If anyone else benefits, it's even better.</aside>


Revised answer...I believe you can do this with mod_rewrite. Here is an example I found:

# turn on rewrite engine
RewriteEngine on
# if authorization header is empty (non-authenticated client)
RewriteCond %{HTTP:Authorization} ^$
# redirect to new url
RewriteRule /current/path /new/path

Caveat emptor...I'm not able to test this at the moment. Give it a try though, put this in your .htaccess and change the paths to suit your environment.


You can use http authentication in PHP in addition to Apache (via .htaccess). This might give you more control.

From the manual:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    // do the redirect here?
}


I had the same question and although this is an old thread, I ended up simply using the 401 error document to display a particular page if authentication failed...

ErrorDocument 401 /not-logged-in.php

This seemed to do the trick for me in a simple way.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜