Can I implement a transparent, PHP-based authentication layer with Apache's help?

Background

I'm looking for a transparent, PHP-driven authentication layer for a web site.

I'm aware of the following simple approaches:

HTTP Authentication

Mechanics:

• Apache controls access rights;
• Attempts to access any file in a given directory transparently require HTTP auth if not already authed.

Downsides:

• Limited configuration options;
• Difficult to integrate with existing user database;
• No control over visual presentation of login prompt.

PHP-based login

Mechanic开发者_如何学Gos:

• PHP controls access rights;
• Attempts to access any file explicitly built for the system if not already authed will result in redirection to a login page.

Downsides:

• If I forget to write the required include "login_required.inc.php"; or similar at the top of any PHP file, that file will be accessible by anybody.

What I want

I'd like to implement the PHP-based login solution, but to somehow configure Apache to invoke login_required.inc.php (or similar) transparently as an intermediate step when any PHP file is requested.

This script will:

• run;
• check session variables;
• tell Apache either "yes, produce the requested page" or "no, redirect to the login page";
• not require code to be inserted at the top of every PHP script that requires authentication.

Is this a pipe dream? Or can I do it? And if so, how?

If you rewrite all php requests through index.php, index.php/php would then control access to anything.

RewriteRule ^(.*)$ /index.php?pageid=$1 [QSA,L]

Something like that will push any request to index.php, in which you can do your authentication and then it will farm out the content...

The QSA in this will retain any query string parameters etc.

I think you should restructure you website to use a Front Controller. There's a reason that pretty much every framework uses the FrontController pattern: single point of access makes your app simpler.

One possibility is to use .htaccess ModRewrite to redirect all requests to, say, login_required.php?redirect=<ORIGINALLY-REQUESTED-SCRIPT>.

login_required.php can then perform its magic and do one of the following:

• Present a login form
• include <ORIGINALLY-REQUESTED-SCRIPT>.
• • Note that a header("Location: <ORIGINALLY-REQUESTED-SCRIPT>)"; will, I believe, merely fall foul of the .htaccess again and cause an infinite redirect loop! Setting the .htaccess ModRewrite directive to only conditionally redirect based on the value of HTTP_REFERER is not secure enough.

This is not the preferred solution, but it's a possibility...

Another possibility:

Have only a single entry-point. Just one file that's accessible from the outside world, like index.php?target=<REQUESTED-SCRIPT>. This one file can contain the authentication logic and include the required script.

All other files would be blocked from external access by .htaccess, or simple file permissions.

This is a good solution, but it would be a large change to update all URLs throughout the existing system.

Edit Apparently this is called the "Front Controller" pattern.