Reputation: 57
How do I correctly load and HTML embed password protected files?
I have an Apache password-protected directory filled with text files and movie files. Currently, I load the contents of the text files using cURL, passing the username and password information with CURLOPT_USERPWD. For the movies, I set the OBJECT and EMBED src's to http://username:[email protected]/file.mov. In both cases, the username and password are pulled from $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], respectively. If that does not work, then the user is prompted to provide new credentials with a generic HTTP auth pop-up.
Is there a more proper way to do this? Or is embedding password-protected movies just a buggy/bad idea?
The above method results in two (related?) problems. First, (as far I can tell) randomly, it seems that the username:password@ part is not passed when embedding the movie, and thus the user is forced to enter their credentials again. This rarely occurs, and is only annoying, but would be nice to fix.
Second, this causes Safari under Snow Leopard to crash. Safari, without fail, prompts the user for credentials, then freezes. Non-password-protected movies (or moving the password-protected movies to a non-password-protected directory) load fine. This problem did not exist pre-Snow Leopard, but I haven't tested it on older versions of Safari under Snow Leopard, so it could be one of the recent updates broke it.
NOTE: Moving to another login system (thus negating the issue) sadly is not possible since other programs that use the files require Apache password protection.
Upvotes: 2
Views: 2179
Answers (1)
Reputation: 45829
Are you on a secure connection? Otherwise it looks as if the username/password are open to prying eyes?
I would tend towards having a server side script (eg. serve_content.php) that manages the serving of your protected content. And link to it something like:
src="serve_content.php?id=1234"
serve_content.php checks that the user is logged in. Identifies the file from the passed id (which masks the true location of the protected content), so '1234' might be 'mymovie.avi'. And sends the file to the client. eg. using readfile() with the appropriate headers.
The Apache password-protected directory acts to prevent unauthorised direct access. If you were logging your users in by some other method, then no user would be able to access the file directly, only via serve_content.php.
Upvotes: 2
Related Questions
- Full password protected website
- Require password to view webpage [jQuery, JavaScript, or PHP]
- Password protecting a webpage with PHP
- Password protect automatically generated .html files
- Embedding htaccess password dialogue in a webpage (w PHP)
- How can I secure certain HTML pages with a password?
- Password Protecting A Webpage
- Making a downloadable file password protected on webpage
- PHP - Access to a password protected page
- password protected file associated with a hyperlink