User Authentication

vypergal

Hi. I am a newbie in Linux. I have installed Apache 1.3.27, mySQL 3.23.53 and php 4.2.3 on my 7.2 Redhat.

I am trying to set up a site that only allows authorized users to access it. As far as I understand, I can either change the directives in the Apache httpd.conf file by setting
<Directory /path/privatedir>
.....
</Directory> after creating a user file using htpasswd
or
by using database authentication.

But I am still confused by a few issues.

When I set the directives in Apache, somehow the authentication keeps failing even when i use valid usernames and passwords. Can someone explain?
If I were to use the database authentication, how can i prevent other unauthorized users from accessing certain pages? My present implementation will allow anyone access to any of my sites as long as they have the url to that site.

Could anyone please advice.Thanks in advanced.

packland

For simple (low level security?) Perhaps you haven't discovered htaccess yet?

With apache configured correctly you can set user access, passwords etc on a per user, per directory basis with htaccess. (You put a .htaccess file in the directory you want to control)

On my machine there is help at:
httpd-2.0.43/docs/manual/howto/htaccess.html.en
in the installation directory

PHP security depends on the logical flow of your program. (I'm not an expert at PHP by the way). It's not fantastic security (I'm also not a security expert) but basically apache will only serve up what you allow it to in your program. The user will access the page but without authorisation i goes basically.

If (user has passed authorisation) {
serve up some stuff
}else{
you can't see this page
}

or something like that.

You have to be EXTREMELY careful that a
request can't be fabricated that will trick your system as this is quite easy to do.

packland

By yhe way htaccess is the lazy method. By rights you should set allow and deny rights on each directory - if you have the time. (as you seem to be attepting maybe)

If you use htaccess you should have the following in your httpd.conf -

AccessFileName: The name of the file to look for in each directory

for additional configuration directives. See also the AllowOverride

directive.

#
AccessFileName .htaccess

The following lines prevent .htaccess and .htpasswd files from being

viewed by Web clients.

#
<Files ~ "^.ht">
Order allow,deny
Deny from all
</Files>

-----------see also-------------

AllowOverride

vypergal

Hi. Thanks for your suggestion. Actually I am more interested in using a database for authentication of the users.

I would like to try to implement the user authentication using a database and using PHP. In the mean time I will try it out with .htaccess as well.

Is there a way for me to hide my php code so that if I place certain private information on the code public users would not be able to access them??

Thanks in advanced.

packland

Because its happening on the server - public users don't see the php file in its raw form. When a page is requested it is processed and a public user only sees the processed ouput. As long as you don't allow people to browse your directories (which is bad practice) the public user has no way of getting to the raw php code.

Basically your php program is a way of dynamically creating a html page. It's the dynamics of that creation process that lets you manipulate what the user sees.

In addition you can use sessions. Once started up a session allows you to store data between pages (eg a valid user key set at a login.php page). In this way you can check to see if you want the current user to see anything. If you don't you can immediately redirect them (with your php) to somewhere else like 'not_a_valid_user.html' or simply print <html><body>you are not a valid user</body><html> instead of all the really cool stuff that a valid user gets.

There are many authentication scripts on this site so I won't add another unless you feel you need one.

Any help?

vypergal

Hi. Thanks. Think sessions might be able to solve my problem. Could you please provide the authentication script example? I am still rather confused. Do I need to use cookies as well? If yes, how do I go about it? And what if my user does not want to accept the cookies??

Please advice. Thanks. 🙂

packland

Http is a stateless protocol!

this means there is limited means to save state between pages. These are

is to send information from one page to the next.
is to allow the server to save some information on your machine that lets the server now who you are and what you are doing. (cookies)

This applies to sessions as well. If you want to allow the user to browse around your pages without logging on everytime. then
1. they have to have cookies on
or
2. you have to send the session ID (SID) on every page in your site. As soon as the user links to a page without an included SID that SID will be lost (unless you go BACK). Posting the session id is as simple as

this little piece of php writes the current URL with the session ID.
<? print "$PHP_SELF"."?".SID; ?>>

this is the first line of a form that links to another URL

It's probably worthwhile adding the SID to all links from your php pages as it works with or without cookies without any further work.

Have a go at the tutorial at:
http://www.phpdeveloper.org/view_tut.php?id=41

There is no password encrytion or session variables in the example but it demonstrates the typical structure of a login script. After that maybe try registering session variables with:
eg.

session_register( "userID" );

let me know how you go.

vypergal

Hi. Thanks. Think session is what I need but I am still trying to implement it. Not really sure what session is all about but from what I gathered seems like it would suit my implementation.
Will SSL work with session? Will keep you informed of my progress. Thanks a bunch. 🙂