php HTTP authorize without prompt box

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
knagode
Forum Newbie
Posts: 5
Joined: Sat Feb 18, 2006 6:25 pm

php HTTP authorize without prompt box

Post by knagode »

Hi!

I wonder if there is a posibillity to authorize user (using something like HTTP authorization) to view secured folder without to type username and password into prompt box.

e.g.: On server I have folder which require authorization. I also have some script lik login.php (outhiside restricted folder ofcourse). Now I would like do something like that:

if($_POST["user"]="bla bla" && $_POST["pass"]=="bla bla"){
authorize_user_for_restricted_folder("username", "password");
}




One simple way to do this is open url like http://user:pass@domainname.com with user/pass but it than - it bothers me as browser is telling me that i will authorize.


Someone know good solution?


p.s. something like getfile.php?file=img.jpg wouldn't go in my case.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

You can mod_rewrite stuff to go through a script that uses PHP sessions
knagode
Forum Newbie
Posts: 5
Joined: Sat Feb 18, 2006 6:25 pm

Post by knagode »

Yep. It is good solution but i don't like it as it works only on apache.

I wonder if my problem could be solved with header();
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

You could put PHP directly in each file as long as you send the right content-type headers (and have PHP parse those file extensions)
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

If you don't want to use the http authorisation stuff you need to place the authorisation routines in each and every file in that directory
knagode
Forum Newbie
Posts: 5
Joined: Sat Feb 18, 2006 6:25 pm

Post by knagode »

I have solved my problme using javascript. I use window.XMLHttpRequest and then i am calling url with username and password.
It is working fine and simple 8)
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

knagode wrote:I have solved my problme using javascript. I use window.XMLHttpRequest and then i am calling url with username and password.
It is working fine and simple 8)
What happens if I turn off my javascript?
knagode
Forum Newbie
Posts: 5
Joined: Sat Feb 18, 2006 6:25 pm

Post by knagode »

I actually needed this to make some javascripts more safer and this script is not for all users - only for administrators. :wink:
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Administrators or not. Javascript is a very bad idea when it comes to security. It can help but you cannot rely on it. The administrators are the ones that most likely have the scripting off.
knagode
Forum Newbie
Posts: 5
Joined: Sat Feb 18, 2006 6:25 pm

Post by knagode »

Hi again!

I agree that it is not the safest way but in my example it is the best - no matter how funny this sounds :D


Script now works cool on Firefox but I have problems on IE.

I have found up that urls with username and password don't work in IE:

e.g. http://user:pass@www.page.com/password_proteded_folder/index.html


And becouse of this... my script is worthless ... Someone knows how could i fix this problem?

Is there isn't possibility to set username and password using header()?
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

The feature to place usernames and password in the URL was disabled for security reasons. This is so insecure that it puzzles me that you even think about using something like this.

Here is an example

you log in your admin with http://user:pass@mydomain.com

after surfing the site he goes directly to:

hisfavouritepornsite.com

now the referer shows up in the logs of hisfavouritepornsite.com and guess what it shows:

http://user:pass@mydomain.com

and you now have at least one admin to be able to log into your admin section which you probably want to avoid by all costs.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That's only if a page on mydomain.com links to an external site and he has referral transmission on AGISB.
Post Reply