php + http authentication

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

php + http authentication

Post by haora »

Hi all, so here is my problem:

For the last few days I've been trying to duplicate the cPanel's login style..., what do I mean by this?, well, for what I understand, cPanel uses .htaccess to protect the private files, until the user logs in..., BUT you can also login trough a login form....
My problem comes when I try to login using that form..., because I can't find a way, once I've determined that the username and password match (using php with the htpasswd file), to tell htaccess that the user is logged...


Do I make any sence???

If not just ask, and I will try to clafiry things...

Thanks in advance!!!


Haora
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

Post by haora »

Thanks for the quick response, but the thing is..., in the php manual, it talks about using a php page to ask the username and password, by sending a header...., what I want, is to use a HTML form, and use the information entered by the user, to authenticate him/her with the htaccess...
haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

Post by haora »

No one has any thouths on this???, I'm dying here people!!!, ANY ideas on how cPanel can make the html login form work with the htaccess???

The only thing I've found is using: login:password@myserver.com, but this approach doesn't work with IE...., what can I do???


Thanks[/quote]
danf_1979
Forum Commoner
Posts: 72
Joined: Sun Feb 20, 2005 9:46 pm

Post by danf_1979 »

Maybe you should ask in the #apache channel in irc.freenode.net. I would say it's an apache module, but who knows for sure...
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

After logging in via .htaccess file, dump your $_SESSION and $_COOKIE variables to see if they're populated.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

Post by haora »

pickle wrote:After logging in via .htaccess file, dump your $_SESSION and $_COOKIE variables to see if they're populated.
My problem is with the other way, not after you log in via .htaccess, but after you login via a html form...., I've learned now, that you can access cookies from your .htaccess files, so what I'm doing now, is this:

- I log in from my html form, and set a cookie.
- Then, I put this in my .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !^.*loggedin=1.*$
RewriteRule .*$ http://myserver.com/login.html

For what I understand, that should tell htaccess to check for the cookie and if it doesn' contain: "loggedin=1", then redirect the user, to the login form, right???

The problem is, that it isn't working, using IEWatch, I can see, that if I enter the correct log in information, and the cookie is set, I can't access the protected folders 'cause htaccess is redirectingme back to the login form....

Any ideas???

Thanks for all the replys!


Haora
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Why not just make this a php file? PHP can generate the "htaccess" login prompt and it can generate the HTML one too, all in the same script.
haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

Post by haora »

feyd wrote:Why not just make this a php file? PHP can generate the "htaccess" login prompt and it can generate the HTML one too, all in the same script.
Yeah, I know, the problem, is that when I try to access an image (for instance), inside the protected directory, I should not be able to see it unless I'm logged in into the system.....

EDIT: It might be important to note that the .htaccess file is inside the directory: html, and the login form, is inside the directory, login, which is at the same level than "html", because maybe the problem is with the RewriteRule.....
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You can force that to happen by not allowing anyone direct linking to the images or by using a rewrite in the htaccess that runs all queries through the interface script.
haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

Post by haora »

feyd wrote:You can force that to happen by not allowing anyone direct linking to the images or by using a rewrite in the htaccess that runs all queries through the interface script.
How would that be?, I'm not very good with the regexps and htaccess...., right now I'm trying to specify a RewriteRule that checks if I'm in the "login" directory, so if I'm not, it redirects me back to /login/login.php.....but I can't find the right regexp...


I would really appreciate your help in this matter...


Thanks again!

Haora
haora
Forum Newbie
Posts: 8
Joined: Mon Mar 27, 2006 9:39 am

Post by haora »

Well, for anyone who es interested or has a similar problem, I will post the solution I found:


The .htaccess file, would look something like this:

Code: Select all

Options +FollowSymLinks

RewriteEngine On
RewriteCond %{REQUEST_URI} .*/security/secureForlder/.* [NC]
RewriteCond %{HTTP_COOKIE] !^.*nameOfCookie=conditionForGrantedAccess.*$
RewriteRule .* /security/login/login.php [L]
This says:

IF you're in a secured folder AND you do not have the cookie (that should be set once you are correctly logged in) THEN redirect the user
to the login page.
Otherwise it does nothing...., that way if you entered the correct login information, and the cookie was set, you can visit any page/image/file inside the secured folders...
One more thing, the ".htaccess" file is inside the "security" folder, and as you can see, the "login" folder is not secured....

Well, thanks for all the help, and hopefully this will be usefull for someone else some day....



:D
Post Reply