Jump to content


Photo

Can anyone help with authentification page problem?


  • Please log in to reply
1 reply to this topic

#1 sportsminded

sportsminded
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 26 March 2006 - 08:55 PM

Hello, I'm hoping someone knows of a workaround to a problem logging into my admin page that my former php programmer set up for me. Phpsuexec is the reason why the following code isn't working anymore. Does anyone have a workaround to this script that will allow me to log in and take advantage of my administration area again? I will gladly donate to this site. This is my first time here.

The code is as follows:

<?php
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="phpMyAdmin"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
} else if (isset($PHP_AUTH_USER)) {
if (($PHP_AUTH_USER != "admin") || ($PHP_AUTH_PW != "example")) {
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
}
Someone already told me that $PHP_AUTH_USER and $PHP_AUTH_PW won't work if the server has phpsuexec enabled. He also told me there are some workarounds. Any help would be greatly appreciated.


#2 jaymond

jaymond
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 13 July 2006 - 05:58 PM

I found this elsewhere.

-------------------------------------------------
I've recently started with HostGator and noticed that the PHPSuExec causes some features to work differently. Hopefully this will help others who are trying to debug similar issues.

One is http_auth which is the browser based authentication that pops up to prompt users for their login and password on protected pages/directories. PHP_AUTH_USER & PHP_AUTH_PW are no longer passed through PHPSuExec. So when you get the login box, you enter your username and password and you will never be able to login. I had about 4-5 pages that were password protected using this method, so I had to develop a login page to replace the http_auth logic. From what I've read, PHPSuExec also disables standard .htaccess authentication, but I have not been using this so maybe another user can validate/test this firsthand.

As mentioned in the original post, php_flag & php_value statements need to be moved over to the new php.ini file. I noticed register_globals is on by default, but if you have a php.ini file it will automatically turn off register_globals, even if the php.ini file is blank. So be sure to add the register_globals=on flag to the php.ini file if you need register_globals on.

Also, I've read that php.ini needs to be included in every subdirectory where you want it to be used, as opposed to the .htaccess file that by default is applied to every subdirectory. This doesn't affect my use of the php.ini file, but I could see how it may be a pain for others to copy this into multiple directories. Again, this is something I read while trying to debug my issue, so someone would need to verify this firsthand.

Here is a sample of what I used to replace the http_auth code to check for username/password.

<?
// define admin user/password -- These should really be in
// a separate script such as a config file. Replace yourusername &
// yourpassword below with the actual password you want to use
define('ADMIN_USERNAME', 'yourusername');
define('ADMIN_PASSWORD', 'yourpassword');

session_start();
//session_register(), session_is_registered() or session_unregister() are no longer
//needed in PHP 4.3 when using register_globals is set to off
//http://us2.php.net/manual/en/ref.session.php
if($_POST["f_username"])
{
$_SESSION["username"] = $_POST["f_username"];
$_SESSION["password"] = $_POST["f_password"];
}

//For security, escape strings that could be checked against mysql database
//You should review security and add any needed security enhancements from:
//http://www.sklar.com/page/article/owasp-top-ten
$_SESSION["username"] = mysql_real_escape_string($_SESSION["username"]);
$_SESSION["password"] = mysql_real_escape_string($_SESSION["password"]);

if($_SESSION["username"] == ADMIN_USERNAME and $_SESSION["password"] == ADMIN_PASSWORD) //Password Matches
{
//Password is correct, do not display the form, allow user to see the page
}
//If no input exists, this is the first time the form is displayed. Show form, do not show page.
elseif(!$_POST["f_username"] or !$_POST["f_password"])
{
$exit = 'X';
}
//Occurs any time the password does not match. Show error, show form, & do not show page.
else
{
echo "Sorry, authentication failed.";
$exit = 'X';
}
if($exit == "X") //If user is not yet authenticated, show form & EXIT
{
?>
<br><br>
<form name="authenticate_user" action="<?echo $next_page;?>" method=POST>
<table>
<tr><td>
Username&nbsp;&nbsp;<input type=text name="f_username" size=20 maxlength=20>
<br>
Password&nbsp;&nbsp;<input type=password name="f_password" size=20 maxlength=20>
<br><br>
<input type=submit name="Submit">
</td></tr></table>
</form>
<?
exit; //Exit so the page contents are not shown.
}
?>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users