authentication trouble

zackt69

I am trying to authenticate users through a form that posts the info to a php file. The php file then reads the contents of a .htpasswd file and compares the values. I'm pretty sure the code I wrote for that is fine, but it's not working... it never gives me access. So I simplified the code, put it all in one php file and did a simple check against variables that are already defined... and I still can't get access. I've tried using $HTTP_SERVER_VARS['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_USER'], $PHP_AUTH_USER, $GLOBAL['PHP_AUTH_USER']... don't know what else to do.

The simplified code is below... the popup box opens fine lets me enter info, then goes to a blank screen... no errors.

Any help would be greatly appreciated... thanks!
Zack

<?php 

// Check to see if $PHP_AUTH_USER already contains info

if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) {

	// If empty, send header causing dialog box to appear

	header('WWW-Authenticate: Basic realm="My Private Stuff"');
	header('HTTP/1.0 401 Unauthorized');
	echo 'Authorization Required.';
	exit;

} else if (isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) {

	if (($HTTP_SERVER_VARS['PHP_AUTH_USER'] != "admin") || ($HTTP_SERVER_VARS['PHP_AUTH_PW'] != "abc123")) {

		header('WWW-Authenticate: Basic realm="My Private Stuff"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;

	} else {
		echo "
		<P>You're authorized!</p>
		";
	}
} 



?>

devinemke

are you running PHP as a module or as a CGI process? $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] will not be set if PHP is running as a CGI process.

zackt69

Thanks for the response.

Yeah, the more I'm reading about this the more I'm thinking it's running as CGI. The sever is not mine and is hosted through netfirms. I'm pretty new to PHP, so please excuse any stupid questions.... So if it is running CGI, there is no way to use the authentication dialogue box? Would it work if I were to go through a form and access a php doc that reads the .htpasswd file and compares values?

devinemke

Originally posted by zackt69
Yeah, the more I'm reading about this the more I'm thinking it's running as CGI.

why guess? find out for sure. create a blank text file called phpinfo.php and paste the following:

<? phpinfo() ?>

then upload it to your server and run it from your browser. look right at the top where it says "Server API".

zackt69

Cool... did what you suggested and in the "Server API" field it says CGI. Which is not the greatest news... heh

Is there anyway around this?

devinemke

it simply means that you cannot use HTTP authourization, you will have to write your own. create a standard HTML form that asks for username and password. when the form is submitted use [man]file[/man] to read the contents of your .htpasswd into an array. loop through the array and use [man]explode[/man] to break apart each line into username and password. on each iteration, simply compare the user's submitted data with what is in the array.

zackt69

Thanks for the post...
I started this script previously, using "fopen" instead of "file" (which I didn't know about). An html file sends the name and password as POST. I changed a few thigs around right now and it seems to work ok, except for one thing - if the password is "saturday" and I enter it in correctly there's no problem. If I enter the wrong password I get "Authorization Required"... again, no problem. However, if I enter "saturday1111", or anything else for that matter after the word "saturday", I still get "You are authorized!"... even though the password isn't correct. Any idea what's up with that?

Thanks again, this was driving me crazy!!!

<?php 
$name = $_POST['name'];
$password = $_POST['password'];
	// Read the entire file into the variable $file_contents
	$filename = '/path/to/.htpasswd';
	$fp = fopen($filename, 'r');
	$file_contents = fread( $fp, filesize($filename));
	fclose($fp);

// Place the individual lines from the file contents into an array.

$lines = explode ( "\n", $file_contents );

// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.

foreach ( $lines as $line ) {

	list( $htname, $htpassword ) = explode( ':', $line );

	if ( $htname == "$name" ) {

		// Get the salt from $password. It is always the first
		// two characters of a DES-encrypted string.

		$salt = substr( $htpassword , 0 , 2 );

		// Encrypt $PHP_AUTH_PW based on $salt

		$enc_pw = crypt( $password, $salt );

	if ( $htpassword == "$enc_pw" ) {

		// A match is found, meaning the user is authenticated.
		// Stop the search.

			$auth = true;
			break;

		}

	}
}



if ( ! $auth ) { 
	echo 'Authorization Required.';
	exit;

} else {

echo '<P>You are authorized!</P>';
echo $htpassword;
}
?>

zackt69

ok... the code seems to work fine. It was just caching the login. If I login with a different account it's cleared and "saturday123" won't work if the password is suppose to be "saturday".

thanks again for all your help!