Jump to content

HTTP Auth and Headers


para11ax

Recommended Posts

Hi, I consider myself pretty competant when it comes to PHP and mySQL, but when it comes to the whole issue for HTTP headers, I'm pretty lost, so maybe someone can break it down a little bit for me. I have an idea of something I want to do and I think if it's possible HTTP Headers are the solution, so let me break this down:

[b]Idea[/b]: Basically, I want to bypass some HTTP Authentication. The issue is that there is a page that simply executes a function, but to access it you need to log in with basic HTTP authentication. I'm running a PHP member system and want certain members to be able to use these pages, but want them to be transparent in order to simplify their use and hide the administrative password to them from the end users.

[b]Execution[/b]: It seems to me that if this can be done it would be in the form of somehow presetting the HTTP Headers to make it seem like I had already submitted the username and password into the page. This is where I could use some help. Any ideas would be appreciated.

[b]More background than you probably need[/b]: Here is the full situation. Basically this is an interface for a game server. The game server runs a Web interface called ServerDock which I have access to, and want to make some PHP functions to delegate functions to different users. Basically, you can stop and start the server using the links [a href=\"http://69.65.0.74:1300/stop\" target=\"_blank\"]http://69.65.0.74:1300/stop[/a] and [a href=\"http://69.65.0.74:1300/start\" target=\"_blank\"]http://69.65.0.74:1300/start[/a]. These prompt for a password and then once entered will simply perform their function and return nothing. My plan is to create a page that will call the STOP page and then the START page... so that users can seamlessly restart the server. I handle user security on my end, so the only access to this function would be through my authentication... so there are no security risks. Basically I want to prevent users from accessing advanced server settings that they may screw up and integrate this as semalessly as possible into my current system. I assume since these pages actually load some minimal content, I will call them using 2 iFrames within the page, so that I have a place for the returned content to be dumped without redirecting the actual page that the users access.
Link to comment
Share on other sites

[a href=\"http://www.php.net/curl\" target=\"_blank\"]curl[/a]

Btw, it was the "More background than you probably need" info that made it clear to me what you wanted to do.

Note the "e" in curl_exec() has been removed from the code below to allow the post to go through.
[code]


$auth = FALSE;
//etc
if ($auth)
{
    $ch = curl_init();
    $url = 'http://69.65.0.74:1300/stop';
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_USERPWD, 'username:password');

    $r = curl_xec($ch);

    //At this point it would be good to
    //parse the output to ensure the action
    //was performed successfully, but you
    //mention no output is given.
}
[/code]
Link to comment
Share on other sites

  • 4 weeks later...
I checked your start link above and it popped up a network log on box so the curl will not work for you.  Luckily php has a built in 'HTTP authentication' feature that works with the network log on box:

http://www.php.net/manual/en/features.http-auth.php

Link to comment
Share on other sites

[quote author=mainewoods link=topic=96915.msg402307#msg402307 date=1153710449]
I checked your start link above and it popped up a network log on box so the curl will not work for you.  Luckily php has a built in 'HTTP authentication' feature that works with the network log on box:

http://www.php.net/manual/en/features.http-auth.php


[/quote]

The "log on box" is created by the browser when a site requires "HTTP authentication". The link you pointed to deals with how to have PHP send the headers to notify the browser of the requirement (so that it can prompt the user for the credentials) and handle the username and password sent.

para11ax seems to be asking how to send those credentials using a script so that he can have control over who can perform specific actions. You can do this with [url=http://www.php.net/curl]curl[/url].

[quote=para11ax]
Ya, curl was hanging on exec.  I'll try that link out tomorrow and post up if I have any problems.  Thanks for everyone's help so far!
[/quote]
If you're having trouble, post the code you're currently using.

Before posting the script you can make the following changes to the script to see if any errors are shown that will help you solve the problem.

Put the following at the top of the script
[code]
error_reporting(E_ALL);
ini_set('display_errors', 1);
[/code]

Make the following additions.
[code]
$r = curl_exec($ch);
if (curl_errno($ch))
{
    print curl_error($ch);
}
else
{
    //at this point everything should have been done successfully
}
[/code]
Link to comment
Share on other sites

It's still just timing out on the curl_exec().  Here is the code.  This is from a test script I made and is the complete code for the page that i'm running (I just wanted to be sure it wasn't any of my code that was the problem).

[code="php"]<?
error_reporting(E_ALL);
ini_set('display_errors', 1);

//Stop the server
$ch = curl_init();
$url = 'http://69.65.0.75:1400/stop/';
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, 'x:x');
$r = curl_exec($ch);
if (curl_errno($ch)){
    print curl_error($ch);
    exit();
}
else{
echo "Test success.";
}
?>[/code]

Just to be clear, I don't actually get the php message telling me that the script has timed out... but after around 30 seconds the page just comes up blank and reports DONE.

Also, I check my phpinfo(), and it is '--with-curl', so that shouldn't be the issue.  Here's the Curl Information just to be safe: "libcurl/7.15.3 OpenSSL/0.9.7a zlib/1.2.3 libidn/0.5.6".  Any thoughts?  Thanks.

[b]edit(shoz): Removed login details[/b]
Link to comment
Share on other sites

Does the "stop" script respond quickly when you do it manually?

Add the following and see what output you get
[code]
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
[/code]
Remember to edit the value after "Authorization: Basic"
Link to comment
Share on other sites

[quote=para11ax]
Could it be that it doesn't like the trailing /, or could the host reject curl connections?
[/quote]
If this is not running on your local server (ie the one that you "browse" from), then it could be that the server the script is running from has its ip blocked by 69.x.etc. It could also be that the server the script is running from doesn't allow connections to be initiated locally.

If this is being tested on your local server make sure that apache is allowed access to the net by your firewall.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.