Trying to setup a Session Cookie

Boat_2005

I recently bought a software package that restricts access to one or many directories on my hosted server. The server is unix based. The directory that is restricted contains an .htaccess file and I believe that it uses Apache. If I try to access a file within that directory, the browser pops up a username / password input box. When I add the correct username / password, I am granted access.

My goal is to NOT use the browser popup and login through my HTML home page. I was able to access this restricted directory with the following URL format, "username : password@www.domain.com/directory".
IE has added security to not allow this.
The work around is to use session cookies.
I’ve been Googling for examples and have been reading all that I can with no luck.

I’m not exactly sure what the steps are to access an HTML file in my restricted directory.

I’ve been trying to add the following code to my home page / login page and trying to access it with the form action = $PHP_SELF.

This is really becoming frustrating and I would really appreciate any examples and advice..
Thx…

<?php
function auth(
$username = '',
$password = '',
$pass_file = './cgi-bin/pa/d_pass.txt'
) {
session_start();
global $PHP_SELF, $authdata;
$check = ! empty( $username );

if ( is_array( $authdata ) ) {
return true;
} elseif ( $check ) {
$fp = fopen( $pass_file, 'r' );
while ( !feof( $fp ) ) {

            $line = trim( fgets( $fp, 1000 ) );
            list( $l, $p ) = explode( ',', $line );

            if ( ($l == $username) && ( $p == $password) ) {
                $authdata = array("login"=>$username);
                session_register( 'authdata' );
                fclose( $fp );
                return true;
            }
        }
        fclose( $fp );
        unset( $authdata );
        return false;
    } else {
        return false;
    }

drew010

the apache htaccess user authentication and using php sessions to authenticate users are pretty unrelated and you wont be able to find a good way to mix them together, since all the apache username/pass validation is done before the php script is ever executed. you can totally do away with the apache htaccess method, but then you will need to have every single file you want protected access to, to do some sort of authorization on the user.
if php is running as an apache module, you can do a similar type of authentication using a php script rather than htaccess, but its probably useless to you since it uses the same box.
my thought to simplify this task of protecting files is to use this small trick (which only works if php is running as an apache module).

make a file, call it auth.php, and place it in your root directory.

make a function similar to the auth one you wrote in your post above.
what this function will do, is check the session data on a user, to make sure the username and password are correct. if it is, you simply do nothing, otherwise exit the script. here is a simple example
if ( !auth($SESSION['user'], $SESSION['pass']) ) {
echo "No Access";
exit;
}
now for the trick, in order to have all php files in a directory use that function, we will use the php directive auto_prepend_file.
what it does, is automatically include the specified file before the calling script runs.
so say you have protected.php in the /private folder.
when someone calls protected.php, the auth.php file is brought in at the top, and is run first, so if you issue exit, the protected.php file never finishes running, in a sense, locking access to the file.
make a .htaccess file in the /private folder, and in it put
php_value auto_prepend_file /full/path/to/auth.php
this will first bring that file in and run your check.
again, it will only work with php as an apache module. the long version of that is to put
ini_set("auto_prepend_file", "/path/to/auth.php");
in every file you want protected.

so when you make the web form, you will make a post to some script which will set the session data, and then you can redirect to a default protected page.

hope that helps, if you have questions let me know

Boat_2005

I just added “php_value auto_prepend_file /full/path/to/auth.php” to my .htaccess file and added the code I posted to the auth.php file.
I’m not quite sure what I should do with
if ( !auth($SESSION['user'], $SESSION['pass']) ) {
echo "No Access";
exit;
}
Is that not the same as the fclose at the bottom of my code?

The method that you described is pretty slick. I’m very excited about finally getting this to work. Does my code seem ok to you?
My HTML form’s action is pointing to an HTML file within the restricted directory and I’m still getting browsers login popup.

drew010

your auth function may look something like this:

function auth($username, $password)
{
  $authorized = FALSE;
  $data = file("passwordfile");

  foreach($data as $line) {
    list($user, $pass) = explode(",", $line);
    if ($username == $user && $password == $pass) {
      $_SESSION['username'] = $user;
      $_SESSION['password'] = $pass;
      $authorized = TRUE;
      //they are authorized
      break;
    }
  }

  if ($authorized == FALSE) {
    echo "You can't view this page.";
    exit;
  }
}

in order to call it on every page to make sure the session hasnt expired or been tampered with, we call the auth function using the data previously set by a successful authorization

auth($SESSION['username'], $SESSION['password']);

Boat_2005

I hate to ask another question with all the help that you have given me already. But I was hoping that you could suggest were I’m going wrong.
I promise that I won’t abuse your generosity further.

I had this within my .htaccess file.

AuthType Basic
AuthName "Members Area"
AuthGroupFile /dev/null/
AuthUserFile /usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/d_pass.txt
php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domain.com/auth.php"

<LIMIT GET POST PUT>
require valid-user
</LIMIT>

I removed the AuthUserFile from it because it was triggering the browsers login popup.

I added the below auth.php file to the root.

<?php
function auth($username, $password_1)
{
$authorized = FALSE;
$data = file('/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/d_pass.txt');
foreach($data as $line) {
list($user, $pass) = explode(":", $line);
if ($username == $user && $password_1 == $pass) {
$SESSION['username'] = $user;
$SESSION['password_1'] = $pass;
$authorized = TRUE;
//they are authorized
break;
}
}
if ($authorized == FALSE) {
echo "You can't view this page.";
exit;
}
}
?>

The code uses password_1 so I thought that I should add this here. I’ve tried it both ways.
The action of my form is going to a restricted file in this directory.

From your description of this
<?php
if ( !auth($SESSION['user'], $SESSION['pass']) ) {
echo "No Access";
exit;
}
?>
I’m assuming that if it’s not added to the restricted file, that I will have access. It's just to confirm that the proper login info is there.
Should I be using the function “session_start();” ? Could that be why this isn’t working?

drew010

it could be a few things,
you do need to call session start before you use auth function for sure.
auth doesnt return a value so you shouldnt do
if ( !auth($SESSION['user'], $SESSION['pass']) ) {
echo "No Access";
exit;
the exit part is handled inside the function.
and unix password files have the passwords encrypted so you will need to look at the text file and see if the passwords are encrypted, if they are you have to use the [man]crypt[/man] function on the entered password to make sure it matches the one in the file.

Boat_2005

Hi drew010,
I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue and there are no good examples…
I’ve added my auth.php and .htaccess files below.
I don’t understand how the $auth = false or true get’s passed.
Could it be the <LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change? Or is something else missing from my .htaccess file….
Do I put the auth($SESSION[‘user’], $SESSION[‘pass’]) in the .htaccess file?
I feel that I’m so close, but can’t get passed the finish line.

My auth.php file looks like this ….

<?php
session_start();
$PHP_AUTH_USER = $POST['username'];
$PHP_AUTH_PW = $POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $COOKIE['password'];

$auth = false; // Assume user is not authenticated

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Read the entire file into the variable $file_contents

$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );

// Place the individual lines from the file contents into an array.

$lines = explode ( "\n", $file_contents );

// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.

foreach ( $lines as $line ) {

    list( $username, $password ) = explode( ':', $line );

    if ( $username == "$PHP_AUTH_USER" ) {

        // Get the salt from $password. It is always the first
        // two characters of a DES-encrypted string.

        $salt = substr( $password , 0 , 2 );

        // Encrypt $PHP_AUTH_PW based on $salt

        $enc_pw = crypt( $PHP_AUTH_PW, $salt );

        if ( $password == "$enc_pw" ) {

            // A match is found, meaning the user is authenticated.
            // Stop the search.

            $auth = true;
			setcookie('username',$PHP_AUTH_USER,time()+36000);
			setcookie('password',$PHP_AUTH_PW,time()+36000);
            break;

        }

    }
}

}

if ( ! $auth ) {

header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

 header( 'Location:first.htm' );

}

My .htaccess file looks like this….

AuthType Basic
AuthName "Making Doors Open"
AuthGroupFile /dev/null/

php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php"

<LIMIT GET POST PUT>
require valid-user
</LIMIT>