htaccess/php/sess/recording

I need to have restricted access to a site but I also want to record who's logging in.
I want to write who did log into the website into mysql but I don't want to have to access mysql to get access to the site (should that fail) and if the log fails for any reason I don't care that much.
So my thought was just to use htaccess/hpasswd and manage that with deadlock or whatever, that's easy but how can I log who did log in?
Is there a way to get that into the logs and I can scan that with a cron?
Or do I need to write a php login using the htpassword file and only write a record to mysql when a session is created. I don't want to modify every stinking application/directory so I guess I would have to do a AddHandler for .html php etc etc and the php would be "eek" and have to do a force application type on eek to php so it doesn't loop forever?
Am I dope is there just an easy way to do this without having to write the code and do it this convoluted way?
So simple (no credit cards here, no-one on life support) access control with logging but not having to hack into phpbb, gallery, and every other bleeking thing to do this.

Ok so that post is a bust how about this....

How do you do php htaccess/passwd access when (as here) php is cgi.
No I don't want to change that and I don't want to log in for every access because it doesn't remember me.

http://www.besthostratings.com/articles/http-auth-php-cgi.html demonstrates a workaround methodology. Yeah Google!

--rlparker

Yeah google, but garbage in garbage out, that doesn't work.

This works. Tested for DreamHost Apache 2 running php-cgi.


Process Request

client -> GET /
server -> set REMOTE_USER=user
          set REDIRECT_REMOTE_USER=REMOTE_USER if 401 errordocument
          show errordocument 401 if invalid user/pass
          errordocument 401 requests user pass with "Authorization Required"
          401 sends Header- 'WWW-Authenticate: Basic ream="AskApachePass"'       
client -> GET / 
          send username and password with 
          Header- 'Authorization: Basic (base64_encoded username:password)'         
server -> (repeats until authorized)

2 .htaccess tricks required
1. a custom 401 ErrorDocument specifying a php file (logger).
2. pass along the clients username using mod_rewrite.

.htaccess

ErrorDocument 401 /log-htpasswd.php

# BEGIN AskApache Password Protect
AuthName "AskApachePass"
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
# END AskApache Password Protect

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

log-htpasswd.php

<?php
define('LOGINS_LOG','/home/user/log-htpasswd.log');

if(isset($_ENV['REDIRECT_REMOTE_USER']) && !empty($_ENV['REDIRECT_REMOTE_USER'])){
 $fp = fopen(LOGINS_LOG, 'a ');
 fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']);
 fclose($fp);
}

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>';
exit;
exit();
?>

example log-htpasswd.log
just a list of usernames attempted

username1
tom
rcowen
askapache
dreamhost
dreamadmin

All you need to do now is add mysql commands to log-htpasswd.php... And you should tighten the security for log-htpasswd.php to only allow from from server for redirects to secure against crackers and hackers. more .htaccess tricks



_____

 _  _|  _  _  _  _|_  _
(_|_|<(_||_)(_|(_| |(/_
          |