SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi there, I have a problem

    Could some one shed some light on how to use the Authentication header ($PHP_AUTH_USER and stuff) ?

    I don't see how it can help to validate.

    Can someone show me a tutorial on Auth Headers or give me some codes?

  2. #2
    imagine no limitations exbabylon's Avatar
    Join Date
    Dec 2000
    Location
    Idaho, USA
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    here:

    PHP Code:
    // Different Users
    $user1 "test";
    $pass1 "test_pass";
    $user2 "test2";
    $user_pass2 "test2_pass";

    // "Realm" (what this password protected area is called")
    $realm "Registered Users Only Area";

    // Your domain name
    $domain "test.net";

    if(!isset(
    $PHP_AUTH_USER)) {
        
    Header("WWW-Authenticate: Basic realm=\"Homework Admin\"");
        
    Header("HTTP/1.0 401 Unauthorized");
        echo(
    "You must have correct username/password in order to access this portion of our site.<p>If you are having problems with this password protected area please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
        exit;

      } if (
    $PHP_AUTH_USER != "$user1and $PHP_AUTH_PW != "$user1_passor $PHP_AUTH_USER != "$user2and $PHP_AUTH_PW != "$user2_pass) {
        echo(
    "The password $PHP_AUTH_PW and the username $PHP_AUTH_USER are not correct. You must have correct Userrname/password in order to access this area.<p>If you are having problems with this password please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
       exit;
        
      } 
    Blamestorming: Sitting around in a group discussing why a deadline was missed or a project failed and who was responsible.

    Exbabylon- Professional Internet Services

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How will it carry forward to the next page ?

    Like on some pages, you only need to put the auth header without the authentication prompt ?

  4. #4
    imagine no limitations exbabylon's Avatar
    Join Date
    Dec 2000
    Location
    Idaho, USA
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the browser stores it during your session... just include the code above in all of your pages, it checks if it is set, if not then it just displays the login form again... you would want to do something like this on all of your pages:

    Include Page saved in your user root (/home/user/pass.inc)
    PHP Code:
    // Different Users
    $user1 "test";
    $pass1 "test_pass";
    $user2 "test2";
    $user_pass2 "test2_pass";

    // "Realm" (what this password protected area is called")
    $realm "Registered Users Only Area";

    // Your domain name
    $domain "test.net";

    if(!isset(
    $PHP_AUTH_USER)) {
        
    Header("WWW-Authenticate: Basic realm=\"Homework Admin\"");
        
    Header("HTTP/1.0 401 Unauthorized");
        echo(
    "You must have correct username/password in order to access this portion of our site.<p>If you are having problems with this password protected area please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
        exit;

      } if (
    $PHP_AUTH_USER != "$user1and $PHP_AUTH_PW != "$user1_passor $PHP_AUTH_USER != "$user2and $PHP_AUTH_PW != "$user2_pass) {
        echo(
    "The password $PHP_AUTH_PW and the username $PHP_AUTH_USER are not correct. You must have correct Userrname/password in order to access this area.<p>If you are having problems with this password please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
       exit;
        
      } 
    and the pages you want to protect:

    PHP Code:
    <?php
    require "/home/user/pass.inc";
    ?>
    <html>
    <head>
    <title>Password Protected Page One</title>
    </head>
    <body>
    Hello World!
    </body>
    </html>
    WARNING: YOU MAY NOT HAVE ANY PRITNING TO THE BORWSER! NOW EVEN WHITE SPACE BEFORE THE INCLUDE!
    Blamestorming: Sitting around in a group discussing why a deadline was missed or a project failed and who was responsible.

    Exbabylon- Professional Internet Services

  5. #5
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks alot !
    You saved me

  6. #6
    imagine no limitations exbabylon's Avatar
    Join Date
    Dec 2000
    Location
    Idaho, USA
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    make sure you put that thing in the root directory... or else if PHP stops parsing everyone on earth can get to your usernames/passwords!
    Blamestorming: Sitting around in a group discussing why a deadline was missed or a project failed and who was responsible.

    Exbabylon- Professional Internet Services

  7. #7
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean?

  8. #8
    imagine no limitations exbabylon's Avatar
    Join Date
    Dec 2000
    Location
    Idaho, USA
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you have the included script in a directory accessable from the WWW then your usernames and passwords are accessible to anyone who may want them if PHP stops parsing the pages.... if PHP stops parsing then the server will feed the entire page to the browser... so if someone "views scource" then they can see your entire code.. and your usernames/passwords. here is an example:

    test.inc stored in same dir as index.php (home page)
    PHP Code:
    // Different Users
    $user1 "test";
    $pass1 "test_pass";
    $user2 "test2";
    $user_pass2 "test2_pass";

    // "Realm" (what this password protected area is called")
    $realm "Registered Users Only Area";

    // Your domain name
    $domain "test.net";

    if(!isset(
    $PHP_AUTH_USER)) {
        
    Header("WWW-Authenticate: Basic realm=\"Homework Admin\"");
        
    Header("HTTP/1.0 401 Unauthorized");
        echo(
    "You must have correct username/password in order to access this portion of our site.<p>If you are having problems with this password protected area please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
        exit;

      } if (
    $PHP_AUTH_USER != "$user1and $PHP_AUTH_PW != "$user1_passor $PHP_AUTH_USER != "$user2and $PHP_AUTH_PW != "$user2_pass) {
        echo(
    "The password $PHP_AUTH_PW and the username $PHP_AUTH_USER are not correct. You must have correct Userrname/password in order to access this area.<p>If you are having problems with this password please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
       exit;
        
      } 
    Protected Page:
    URL to this page: http://www.yourdomain.com/protected/index.php
    Code:
    <?php
    require "/home/user/yourdomain-www/test.inc";
    ?>
    <html>
    <head>
    <title>Home</title>
    </head>
    <body>
    HELLO WORLD!
    </body>
    </html>
    Now say PHP STOPPED parsing pages for some reason. Not a normal occurance, but it can and does happen. Normally if a person viewed source on the password protected page AFTER getting into it... it would look like this:
    Code:
    <html>
    <head>
    <title>Home</title>
    </head>
    <body>
    HELLO WORLD!
    </body>
    </html>
    but if PHP stopped parsing it would look like this:
    Code:
    <?php
    require "/home/user/yourdomain-www/test.inc";
    ?>
    <html>
    <head>
    <title>Home</title>
    </head>
    <body>
    HELLO WORLD!
    </body>
    </html>
    your original code.. now even a novice PHP user can see that this is a PHP file with an include... so lets see what the include looks like as long as the PHP server is down... we can because it's in a WWW accessible dir:

    http://www.yourdomain.com/test.inc

    I view source on this an wala! I got your usernames/passwords!
    PHP Code:
    // Different Users
    $user1 "test";
    $pass1 "test_pass";
    $user2 "test2";
    $user_pass2 "test2_pass";

    // "Realm" (what this password protected area is called")
    $realm "Registered Users Only Area";

    // Your domain name
    $domain "test.net";

    if(!isset(
    $PHP_AUTH_USER)) {
        
    Header("WWW-Authenticate: Basic realm=\"Homework Admin\"");
        
    Header("HTTP/1.0 401 Unauthorized");
        echo(
    "You must have correct username/password in order to access this portion of our site.<p>If you are having problems with this password protected area please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
        exit;

      } if (
    $PHP_AUTH_USER != "$user1and $PHP_AUTH_PW != "$user1_passor $PHP_AUTH_USER != "$user2and $PHP_AUTH_PW != "$user2_pass) {
        echo(
    "The password $PHP_AUTH_PW and the username $PHP_AUTH_USER are not correct. You must have correct Userrname/password in order to access this area.<p>If you are having problems with this password please e-mail the webmaster <a href=\"mailto:webmaster@$domain\">webmaster@$domain</a>");
       exit;
        
      } 
    but this danger can all be avoided if you just put the text.inc page in the root dir... /home/user/text.inc

    Now I view the source of the password protected page and I see this:
    Code:
    <?php
    require "/home/user/test.inc";
    ?>
    <html>
    <head>
    <title>Home</title>
    </head>
    <body>
    HELLO WORLD!
    </body>
    </html>
    that doesn't help me because I CAN'T get that without FTP or root access to your server...

    hope that helps... if not please let me know... I'll see what I can do...

    God Bless

    Alex

    <<<<<<<<<NOTE>>>>>>
    It is a good idea to do this to ANY and ALL pages which have usernames/password on them (HTTP_Auth, MySQL, ETC.) It adds a much lower risk of people finding out your username/passwords....
    <<<<<<<</NOTE>>>>>>
    Blamestorming: Sitting around in a group discussing why a deadline was missed or a project failed and who was responsible.

    Exbabylon- Professional Internet Services

  9. #9
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks.

    I understand it totally.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •