Alternate script for index.php

vinyl-junkie · 02-20-2004, 11:31 PM

If anyone has followed the authentication problems I had with my site which is on a Windows server (see this thread), I've modified the admin/index.php script to handle user authentication in a slightly different way to solve that problem. You can view my modified script here. Note that if you use it, you'll no longer need to use auth.php.

I also added a feature that gives the user 3 tries to authenticate, then calls the sleep function for 10 seconds. That is to discourage anyone from running their own script to try hacking into the administration functions.

I welcome any comments, criticisms, etc. regarding my script. Thanks.

Charter · 02-23-2004, 12:29 PM

Hi. Thanks for the mod submission, but...

Your authentication method only protects the admin/index.php file. It does not offer protection should someone access other files in the admin directory.

For example, from your site:

Code:

Search Terms  Num Time  Total Results  Avg Time 
review        16        112            0.10 
sample        1         1              0.02 
born          1         1              0.01 
charter       1         0              0.00

I would not recommend using the authentication method you posted.

From php.net is the following:

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.

If the auth.php that comes with PhpDig does not work for you, then protect the admin directory with something like htaccess instead.

One thing though...

Thanks to your post, I checked the scripts in the admin diretory and anyone using PHPDIG_ADM_AUTH in the config.php file should read this thread.

vinyl-junkie · 02-23-2004, 07:52 PM

Thanks for the evaluation of my script, Charter. I'm still pretty new to PHP, so I wasn't too sure if it would fly or not. That's one of the beauties of open-source though. Someone else can tell you if there are security holes.

I don't believe it is possible to protect a directory with .htaccess on a Windows server. What I've been doing is just removing the authentication requirement when I want to spider the site, then putting it back up when I'm done. Not the most convenient way of doing things, but it works.

BTW, my Windows site is on PHP 4.3.2. I guess that according to your post, that means I can't use HTTP authentication?

02-20-2004, 11:31 PM	#1
vinyl-junkie Purple Mole Join Date: Jan 2004 Posts: 694	Alternate script for index.php If anyone has followed the authentication problems I had with my site which is on a Windows server (see this thread), I've modified the admin/index.php script to handle user authentication in a slightly different way to solve that problem. You can view my modified script here. Note that if you use it, you'll no longer need to use auth.php. I also added a feature that gives the user 3 tries to authenticate, then calls the sleep function for 10 seconds. That is to discourage anyone from running their own script to try hacking into the administration functions. I welcome any comments, criticisms, etc. regarding my script. Thanks.

02-23-2004, 12:29 PM	#2
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi. Thanks for the mod submission, but... Your authentication method only protects the admin/index.php file. It does not offer protection should someone access other files in the admin directory. For example, from your site: Code: Search Terms Num Time Total Results Avg Time review 16 112 0.10 sample 1 1 0.02 born 1 1 0.01 charter 1 0 0.00 I would not recommend using the authentication method you posted. From php.net is the following: Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked. Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value). Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header. If the auth.php that comes with PhpDig does not work for you, then protect the admin directory with something like htaccess instead. One thing though... Thanks to your post, I checked the scripts in the admin diretory and anyone using PHPDIG_ADM_AUTH in the config.php file should read this thread. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
index.php	brainz	How-to Forum	1	07-10-2006 09:53 AM
How to add a site from the command line or with a php script	ciaran@clissman	How-to Forum	1	07-18-2005 04:59 PM
Alternate Page Option When Indexing	vinyl-junkie	Mod Requests	0	12-12-2004 11:12 AM
ThinkDing Php MySql Search Script	zizion	The Mole Hole	1	11-10-2003 09:09 AM
Templates - cannot get index.php to display different one	jirving	How-to Forum	9	09-29-2003 06:57 AM

02-23-2004, 07:52 PM	#3
vinyl-junkie Purple Mole Join Date: Jan 2004 Posts: 694	Thanks for the evaluation of my script, Charter. I'm still pretty new to PHP, so I wasn't too sure if it would fly or not. That's one of the beauties of open-source though. Someone else can tell you if there are security holes. I don't believe it is possible to protect a directory with .htaccess on a Windows server. What I've been doing is just removing the authentication requirement when I want to spider the site, then putting it back up when I'm done. Not the most convenient way of doing things, but it works. BTW, my Windows site is on PHP 4.3.2. I guess that according to your post, that means I can't use HTTP authentication?