Page 1 of 1

Please help - How do I get Windows user login data?

Posted: Tue Oct 19, 2004 5:13 am
by optimus
I need to be able to check the username and password that the user has logged into Windows 2000 with. I know this is possible using ASP but i can´t find anything about it using Php. Has anyone done this before or know of any tools which do this.
Any help would be greatly appreciated!

Posted: Tue Oct 19, 2004 5:55 am
by Weirdan
I doubt you can get system password in plaintext from any application. As for username, it's usually accessible via $_ENV['USERNAME'].

Posted: Tue Oct 19, 2004 6:05 am
by optimus
I don´t expect to get their actual password in plaintext but in an encrypted format which i can just parse against their password in a DB. The idea is to have a single sign in process whereby when the user logs in to windows and when they start the application that the application authenticates the user based on the windows username and password!

Posted: Tue Oct 19, 2004 7:10 am
by m3mn0n
[php_man]win32api[/php_man]

Posted: Tue Oct 19, 2004 7:35 am
by kettle_drum
Well is there any easy way to fake your username so that you can pretent to be a different windows user on your site. Security is a trade off between cost of protection, and the price of what your protecting. It sounds like your simply coding a intranet site - maybe for a school or office. Is the data on this site valuable?

If not you could just assume that the user is who they say they are, and therefore dont need to enter a password - if they have managed to log onto the computer - they are good to go.

Can you use the IP to identify people instead? E.g. have a startup script run on the computer at login that adds the username that logged onto the computer and that computers IP address - then you know that 10.0.0.9 is in fact 'jblogs'.

If your not forcing the users to re-identify themselfs on the site, the data cant be that important - people often leave computers logged on, and so anybody could walk up to it and get on this site as that user.

Just a few ideas.

Posted: Tue Oct 19, 2004 8:04 am
by optimus
w32api might work if php was running on the client but the php is running on the server and so that just returns me the username of the server which i don´t want. I need to find a way to run that ion the client side --- not sure if it´s possible using Php

Posted: Tue Oct 19, 2004 8:12 am
by optimus
kettle_drum: Faking identity is not an option - content is dependant on who the user is! It does force them to re-identify themselves on every page and the data is very important. Having a script at startup is something i don´t want for security reasons. It looks like i´ll have to add some VB script or something for checking the userdata.
Thanks for the input though!

Posted: Tue Oct 19, 2004 8:18 am
by m3mn0n
Remember, PHP is server-side. PHP doesn't communicate with the client machine at all.

You'd need some sort of Flash program/Java applet to do this for you, and then send the variable to PHP to be processed on the server-side.

Posted: Tue Oct 19, 2004 9:37 am
by Weirdan
Sami wrote:Remember, PHP is server-side. PHP doesn't communicate with the client machine at all.

You'd need some sort of Flash program/Java applet to do this for you, and then send the variable to PHP to be processed on the server-side.
Nop. You just need IE to do that :) It's called NTLM authentication.

optimus, what server software do you use? Apache, IIS, something else?

Posted: Tue Oct 19, 2004 10:20 am
by optimus
Its IIS weirdan.
I´ve heard that Internet explorer stores this info somewhere but haven´t had any luck finding out about it. Is that what NTLM authentication is??

Posted: Tue Oct 19, 2004 10:31 am
by optimus
All i really want to do is get the NT login details - which shouldn´t be that complicated! Any methods i´ve looked at so far have been complete authentication systems(Radius authentication, LDAPetc..) Surely there is an easier way of getting this data!

Posted: Tue Oct 19, 2004 10:32 am
by Weirdan
sort of. According to MSDN if IIS server authenticates the user against the domain successfuly it sets $_ENV['REMOTE_USER']. Hence you don't need to store password in any form because you cant trust REMOTE_USER variable. You'll need to configure your IIS to require user to be authenticated though.