Page 1 of 1

http headers and mod_auth_radius for apache

Posted: Tue Aug 30, 2005 6:49 am
by GarethAyres
Hello all,
I have a web server with apache 2 and mod_auth_radius installed along
with php. I am using the apache authentication with RADIUS to control
access to php scripts in certain directories. This all works fine,
but...

I now want to get the username of the person who has logged into the
restricted areas for accounting reasons. I have been told by the writer
of mod_auth_radius.c that the info is passed in the headers.

I have tried the following code to find the username, but have not been
able to.

Code: Select all

<?php
$reqheaders = apache_request_headers();
echo "<b>Request Headers</b><br />";
foreach ($reqheaders as $header => $value) {
   echo "$header: $value <br />\n";
   }
echo "<b>Response Headers</b><br />";
$resheaders= apache_response_headers();
foreach ($resheaders as $header => $value) {
   echo "$header: $value <br />\n";

}

if (isset($_COOKIE["RADIUS"])) echo "RADIUS Cookie set -  " .
$_COOKIE["RADIUS"] . "!<br />";

   foreach($_COOKIE as $key=>$value){
   $$key=$value;
   echo "$key";
   }
?>
This returns :

Code: Select all

Request Headers
Accept: */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: xxxxx:8443
Connection: Keep-Alive
Cookie: RADIUS=a861dbbdb19r6e0be985d13e08bd6fda430edbda
Authorization: Basic bHFheXJlZ2o6ZeJpZGF5Mw== Response Headers
X-Powered-By: PHP/4.4.0
RADIUS Cookie set - a861dbbdb19r6e0be985d15d08bd6fda437edbda!
RADIUS
(i have modified some values incase i am inadvertently sending my
username/password over the list)

So, is there a header i am missing? Is there other ways to get headers?
Or is it possible that the info is not in the header but set in some
kind of hash in the cookie. As that's all I can think of.

Any help appreciated,
Gareth.

Posted: Tue Aug 30, 2005 7:57 am
by feyd
the information is either in that hash, which is not fun to "decrypt" (read brute force), or stored elsewhere with a reference to that hash being associated with them. At any rate, you'll require data outside of the headers to figure out which user it is.