Question: I've got a config.php file in my cms with some define's. I want to have a flag in my config.php:
define('PROTECTED', true);
And than protect my page directory using htaccess, and htpasswd only if PROTECTED.
What should be great is to have user and pass also stored in config.php:
define('PROTECTED', true);
define('PROTECTED_USER', 'user');
define('PROTECTED_PASS', 'pass');
And than transfer them into htpasswd or htaccess somehow... As a matter of fact, the config.php is a page config, and password protection is of course a page config, so they should be in the same place.
Rejected solution: I've come with an idea, to implement (below a snippet of the most simpliest code possible only to sketch the idea) 401 in my..., let's name it index.php:
index.php:
// Config file
require_once("config.php");
// Password protected?
$user = (isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : "");
$pass = (isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : "");
if (!PROTECTED || (PROTECTED && $user == PROTECTED_USER && $pass == PROTECTED_PASS)) {
// RenderPage
}
else {
header('WWW-Authenticate: Basic realm="Authorisation required"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
But it only blocks index.php and "page engine", and not for example images stored in /layout/images/top_secret.jpg, and if someone knows the path, the file isn't protected.
Of course, U can redirect ALL traffic to index.php using .htaccess, and implement a special gate for jpg, css and other normal files. It should read the header of the file, set header, and use file_put_contents. But this is not memory efficient, and personally I think it is a stupid solution :). It is better to leave it outside config.php, than in that way...
Thx for Your time :).