You are working on a project and you want to protect the beta version with password so that only allowed people (beta testers) could access it.
You decide not to invent the wheel and to use the standard HTTP authentication.
First idea is to use your Apache web server to do this, so you write something like that in
AuthName "Private zone" AuthType Basic AuthUserFile /path/to/.htpasswd require valid-use
This solution is simple and that’s why good.
A problem comes on stage when a Flash file uploader is added to your project – usually it cannot “login” to your site, i.e. users are not able to use the Flash file uploader behind beta login.
That’s how I solved it.
It’s not the web server who must solve this (Apache), it’s the application server (PHP). So remove the lines above from
.htaccess and use
What concerns the Flash uploader: it sends ‘Shockwave Flash’ as value of ‘User-Agent’ request header. So in your Initializer or Bootstrap file (where you load Zend_Auth_Adapter_Http) check this header value, and if it’s not Flash’s, go for HTTP authentication.
P.S. Hackers can assume this and fake the header to access your site. To cope with that, use an additional secret request variable (Flash uploaders allow this) and check it at server side.