Bypassing htaccess Login Prompt

I thought I would give this a shot. What I have is a login script where the user logs in through a php page and 2 session variables are set (uname and pword). What I would like to do is use mod_rewrite (i think) to have them logged into an .htaccess directory without getting the login prompt from apache. I've been searching the net for 2 days when i had time, but haven't found a qualified link. I did find some articles saying that it can be done, but no examples were linked. My question, do you know of a sample code link to do this or have a snippet to give me an idea of how this is done?

I would definately think you can do this using CURL and php. Please elaborate more on what you mean when you say "logged into an .htaccess directory", and what are the 2 session variables for? the username and password I know, but what database are they being validated against... a .htpasswd file? a mysql database?

What happens is that the member logs into a membership program (which starts $_SESSION ["uname"] and $_SESSION ["pword"]. Once logged in they are directed to a screen that shows them the protected directories that they are allowed to visit. They then click that link and it takes them to the directory and the apache login prompt asks them AGAIN for the username and password which is stored in the .htpasswd as well as the database.

What I want to do is bypass the 2nd (apache login) prompt and give them direct access using the $_SESSION variables. But meanwhile keeping the .htaccess file to stop others from gaining access or linking directly to that directory and if no $_SESSION variables are present, utilize the apache login prompt. Hope that makes sense.

Yes that makes a lot of sense and I can see why you want to do this.

I am sure I can come up with a solution for ya, I'll test some stuff in a couple hours when I get off work.

Ok Squid I found a solution for ya! Coincidentally, I have been meaning to find out how to do this myself for quite some time, and its an awesome little trick.




You can implement this code on your site if you can figure it out! I am going to be writing a whole article on this solution though so stay tuned.

Also read this article, though it may be confusing.. I'm writing an article about this at

Tricks for controlling htaccess Basic Authentication with PHP and mod_rewrite

Let me know if you are still interested Squid.

I read the article and yes it was confusing. Then i read your article and am still a little confused. Halfway down your article, you mention to have a CURL php file and then right under that, you have

You can use a handler setup in .htaccess. You could code:

in your .htaccess file.

Does that mean, I just add the above quote to my .htaccess file which will redirect the user to a "secure.php" file (somewhere on my system OR does it actually have to be in the protected directory?) where I verify the users authentification. I'm assuming this file would be a true/false type where true would let them in and false would redirect to "Forbidden" error? Or am I way off.

I haven't had a chance to try anything yet, been real busy. But yes, I am definately still interested.

I've tried a few things, but nothing has worked so far.... Still Interested!

Sorry about getting off the project for a while, but i now need to get this part fixed in order to proceed with the project. I have been going over the article you wrote and many other things and am still lost as how to implement this.

As part of your article you also mention 20 lines of code rather than C/C++, but I have been unable in the last 2 weeks to figure out how to put together the other 18 lines that go with the mywrapper portion.

Could somebody enliten me a little as to how this comes together, please.

Hey bro I did end up figuring this out, you can read about the solution on my blog: Log all .htaccess/.htpasswd logins but any questions just ask here..

That article doesn't seem to apply to the OP's dilema... it shows the capture of .htaccess attempts, but doesn't answer the problem.

I'm in the same boat as the original poster.. I have people logged in to a secure PHP session, and I want them to automatically have access to files in an .htaccess protected directory.

One general concept I have for a solution would be a call of some kind to a file in the protected directory that contains a pass-thru login to a generic username/password. That call would set or otherwise trigger the establishment of the authorized htaccess session. The username/password would not be visible to anyone, of course (am I dreaming?).

So, psuedo-visually:

PHP variables ---> .htaccess session ---> accepted session for access to files in protected directory

I can find nothing to force this "accepted session" without having to type into a server provided .htaccess login prompt. Seems like there should be a way to do it.

There is no way.

If you want them to be able to access the files you could set up a fsockopen or fopen or curl or snoopy file that would act as an intermediary between the protected files and a logged in user. To do that you would have them request curl.php?file=the_file_to_download and in curl.php you would only allow php session logged in users to use the curl.php file. Then using snoopy, curl, fsockopen, fopen, etc.. you would make the request include the correct base64 encoded username/password to access the protected files. So the users would never actually request the protected files directly, they will go through the curl.php file.

Or you could easily set a special cookie for users that have successfully logged into php and then using mod_rewrite you could only allow access to the files for users with that special cookie.

There are a few ways to do this but all of them cover advanced methodologies and topics.