A complete authentication system?

Anon

Before the crash, there were a few message regarding this, and a few solutions too I believe, but those have sinced disappeared. I'm still trying to find a solution that works, in order for me to have a full MySQL/PHP authentication system for all (not just .php) files under a certain directory. (without the use of .htaccess)

The common authentication system you see on the web is simple include("authenticate.php") at the top of all your files you want to secure. This however doesn't work for .ZIP, or .PDF files.

So I'm looking for a way to have Apache execute "authenticate.php" whenever a user requests a document from /private.

I have tried:

   <Location /private>
   ForceType application/x-httpd-php
   DefaultType application/x-httpd-custom
    Action application/x-httpd-custom "/authenticate.php3"  
   </Location>

which doesn't work unless they request exactly: "www.domain.com/private/"
If they try "www.domain.com/private/private.zip" it lets them through without executing authenticate.php3.

So I tried:

   <Location /secure>
   ForceType application/x-httpd-php
   DefaultType application/x-httpd-custom
    Action application/x-httpd-custom "/authenticate.php3"  
   </Location>

This seems to work perfect, the only difference? I don't have a /secure directory. I do however have a /private directory. So if a user requests "www.domain.com/secure/private.zip" it asks them to authenticate first. But the files real location is "www.domain.com/private/private.zip" so this only "masks" the problem, is not secure at all.

Does anyone know how I can get Apache to execute a .php file whenever someone tries accessing a document in the /private directory? Any document, not just .php or .htm files, but .zip, and .pdf as well? Thanks.

Anon

No, you can't do that. What you can do though, is keep your files in another directory, below document root if necessary.

Then, when they request a file, use a RewriteRule - or ForceType directive like you have above - to send the user to authenticate.php, which will authentic the user, read the file from the user, send the appropriate mime-type, and then the file data.

That oughta do it. Check the code archive here and on other sites for examples of download scripts, which could be modified to suit.

a
d
a
m

Anon

I'm really stubborn, theres gotta be a better way. I'm pretty sure someone outlined it on the forum before the crash as well. It works perfectly as long as the directory itself doesn't exist, so theres gotta be a little trick to get around that. Just a matter of finding it. If all else fails I guess the RewriteRule will have to do. 🙁

Anon

i created a version of the posted "complete auth system" and it's fairly complete. it does not yet have a one liner secure include BUT it works nicely. it's not yet meant to be "public" but i quickly modified, tarred it and tested for this post. i was able to install it in about 30 seconds ... only a few variables need changing. i tried making it easy to install for everyone. it has some issues but i am working on them and hopefully some more php savvy types will help as i am somewhat new, and learning. learning rules! anyway, check out :

theprojects.org/scripts/authentication/

i depended on the prior posts too and now that they're gone, i'm a tad bit lost on some things but ... just check it out and let me know your thoughts.

regarding your .htaccess desires, check this url out :

http://www.apacheweek.com/features/userauth/

warm regards,
philip

Anon

That system looks quite nice, but it lacks the most important thing by what I have seen so far. How do you authenticate against someone linking directly to a .ZIP file or something?

ie: if you had a "private.zip" file on your site, and I knew the exact path/name. I could download it without ever having to authenticate by simply entering:
http://www.theprojects.org/scripts/private.zip

So in reality, for most sites, this system unfortunately doesn't cut it. 🙁

include "auth.php"; // always include this, always.

It always requires you to use the above line in every file you want a user to have to authenticate for before they can download/view it, Unless you know a way to add that line in to a .ZIP file and have PHP parse it. 😉 (not quite effective)

I would classify this authentication system as "not quite there". Simply put it is limited to .php files only.

Have you run across a system that will use a .PHP file to authenticate for every file a user could ever possibly want to get from a certain directory? (I'm pretty sure its a simple apache .conf file trick)

Thanks.

Anon

here's a suggestion:
create a system where the file to be accessed is actually stored in a directory that is simply not accessible on the web. Then, create a php script to "write" the file to the user beginning with the appropriate mime type. This script would, of course, be under some sort of system of authentication -> perhaps using session variables or something along with user name/password authentication. You can look at the PHP site for the code in sending files to users. This seems to be the best way to achieve your goal to me.

Anon

I thought of this also, but how do you send the user the user the output from like:
dblookup.php?name=manager&dept=sales

I can't see that working for some reason, as you'd simply be writing the file to a user, how do you pass it POST/GET variables?

Anon

btw, the article is :

http://www.apacheweek.com/features/userauth

strange, doesn't work with the trailing / on my system. hmm.

Anon

i've not yet looked into these scripts but there are many download managers listed here :

http://www.hotscripts.com/PHP/Scripts_and_Programs/File_Manipulation/Download_Systems/

sometime i'll look into how they do it and perhaps implement a simular system. you may find these of interest.

also, check out :
http://hoohoo.ncsa.uiuc.edu/docs/setup/access/Directory.html

Anon

Hrmm,I'm pretty certain the solution I'm looking for has something specifically to do with Apache. I could combine the use of an "include()" authentication system for all .php files, and use those "antileech" scripts to secure any .ZIP files and what not, but that isn't a very elegant solution.

The NCSA link gave me an idea, but didn't quite work with apache unfortunately. I can't use mod_auth_dbi modules either, even though they would allow me to authenticate against a database instead of a flat file, the way users enter their login name/password causes me a huge problem.

Browsers popup a window asking for the login name/password when they detect the user is entering a secure site, the problem with this is IE has the damn "Save Password" check box, and the new Netscape now has that so called "feature". Human nature is to use that check box, and once someone does, the security of the entire site is compromised. All our computers that would be accessing this site are public ones, (ones many people share) so this is a huge problem.

This is why I want a PHP login form, so theres no way for a user to check a "save password" box and comprise security. (The new IE has a feature that still allows you do save vales you enter in to forms, but that is much less of a threat then the "Save Password" check box constantly looking users in the eye.)

Thanks.

Anon

sddssd

Anon

And it is not possible have a mix between PHP Login and Basic Authentication?

Why is not possible set the PHP_AUTH_USER and the PHP_AUTH_PASSWD getting this from a web form to supress the window asking for it ????

Anon

You can set those variables... But I don't think it does you any good. The pop-up window still comes up. Have you actually tried this and gotten it working before?