Home / server / Questions / 87034
Accepted
EMP
Asked: 2009-11-22 19:13:47 +0800 CST

Can Apache be configured to require authentication based on the query string?

  • 772

I've configured basic Apache authentication for certain areas of a website that only administrators should have access to. Most web applications make this convenient by putting their admin pages in a subdirectory, so I configure authentication for the directory, such "/goodapp/admin". The problem is that some applications instead rely on the query string, eg.

/badapp/index.php?page=admin

Is there any way I can configure Apache to require authentication for a URL like this, based on the query string?

apache-2.2

1 Answers

  1. Best Answer

    I did some research on this, but I don't think that Apache will let you match on the query string in a way that will allow you to conditionally require authentication. You could match on a directory or file, but not on items in a query string AFAIK (unless you are doing URL rewriting). This makes sense because you probably don't want application logic sitting in the webserver configuration.

    What you could do is prepend any scripts that have admin capabilities with a check like this:

    $isLoggedIn = array_key_exists('PHP_AUTH_USER', $_SERVER);
if (!$isLoggedIn && $isTryingToUseAdminFeature) {
  // redirect to login.php; this file has two properties:
  // 1) the apache conf requires authentication to access it
  // 2) it redirects the user back from whence they came
}

    The second time around, PHP_AUTH_USER should be set and so $isLoggedIn will be true. Then in your code, you can conditionally display/allow the admin functionality.

    • 1