htpassword woes...
July 15, 2010 8:41 AM Subscribe
How do I use htaccess to manage user access across multiple sites with the same code base...?
The backstory...
I have a site which does various cool things. Lets call it "coolthings.tld"
There are several different versions of this site. Each one is a different subdomain, pointing to a different folder on the server. ie, my.coolthings.tld is in the folder coolthings_my and your.coolthings.tld is in the folder coolthings_your.
This was a bad idea when I was talked into it. With a few codebase changes, it's becoming a major headache. So I've been merging the code bases back together.
All is fantastic, and I have everything using the subdomain to select database tables and templates directories perfectly. But then I get to password protection...
The problem...
The old site(s) have a simple htaccess thing going on with an htpassword file. And it works nicely.
On the new site, I'd much rather keep the htaccess protection method, but aim it at a mysql database.
I've looked at pages like this one and it all makes sense if you're using it for one site. But I don't see how I can expand the technique to work across multiple subsites.
What I need, I think, is a way to say "if the servername is this, use this database" or maybe "my passwords table has three columns, user, pass and servername, make sure they all match".
Is this doable, or am I barking up completely the wrong tree?
The backstory...
I have a site which does various cool things. Lets call it "coolthings.tld"
There are several different versions of this site. Each one is a different subdomain, pointing to a different folder on the server. ie, my.coolthings.tld is in the folder coolthings_my and your.coolthings.tld is in the folder coolthings_your.
This was a bad idea when I was talked into it. With a few codebase changes, it's becoming a major headache. So I've been merging the code bases back together.
All is fantastic, and I have everything using the subdomain to select database tables and templates directories perfectly. But then I get to password protection...
The problem...
The old site(s) have a simple htaccess thing going on with an htpassword file. And it works nicely.
On the new site, I'd much rather keep the htaccess protection method, but aim it at a mysql database.
I've looked at pages like this one and it all makes sense if you're using it for one site. But I don't see how I can expand the technique to work across multiple subsites.
What I need, I think, is a way to say "if the servername is this, use this database" or maybe "my passwords table has three columns, user, pass and servername, make sure they all match".
Is this doable, or am I barking up completely the wrong tree?
If you're attached to .htaccess, keep using that.
Once the httpd server has the user authenticated as you are currently, in your code you may fetch the authenticated username from the httpd session and use that as the piece of data you use to query the database for user or role specific permission throughout your application(s).
posted by csmason at 10:06 AM on July 15, 2010
Once the httpd server has the user authenticated as you are currently, in your code you may fetch the authenticated username from the httpd session and use that as the piece of data you use to query the database for user or role specific permission throughout your application(s).
posted by csmason at 10:06 AM on July 15, 2010
That's not going to work unless you want to let the HTTP authentication succeed only to later send a 'logon failed' error page from the application, and if you're going to do that you may as well just skip the HTTP auth step entirely. Besides, you'd have an uneven user experience: if you entered completely unknown credentials you'd get the HTTP auth error message, whereas if you gave valid site_my credentials while accessing site_your you'd get the application error message.
posted by Rhomboid at 10:19 AM on July 15, 2010
posted by Rhomboid at 10:19 AM on July 15, 2010
No reason you can't have your application send a 401 HTTP response if it's a valid but unauthorized set of credentials, which would even out the user experience. Not touching the rest of this debate though.
posted by vsync at 11:34 AM on July 15, 2010
posted by vsync at 11:34 AM on July 15, 2010
How is your Apache built? Instead of mod_auth_mysql you can use mod_perl, and subclass Apache::AuthDBI to overload authen() — then you can include $r->hostname in the lookups either as the database name or in the query.
posted by nicwolff at 4:04 PM on July 15, 2010
posted by nicwolff at 4:04 PM on July 15, 2010
This thread is closed to new comments.
If you really want HTTP auth, then you could break apart the site back into two virtual hosts with separate document roots and then use cross-link all the files in the tree so that there's only one actual copy. I don't think you're going to make any progress by trying to get the auth modules to look up a hostname. As a further refinement, you could try having the second docroot contain a single subdir that's a symlink to the root of the first docroot, and in the .htaccess file use mod_rewrite to prepend that subdir internally to all requests. This will only work if you do the mod_rewriting from .htaccess and not from the main .conf file because of the ordering goes rewriting -> authentication -> fixup phase, with rewriting in .htaccess done through the fixup phase.
posted by Rhomboid at 9:24 AM on July 15, 2010