is securing a page this way really secure?

[ParksWC]

<?
if(!$PHP_AUTH_USER || !authenticate($HTTP_AUTH_USER, $HTTP_AUTH_PW) {
header('WWW-Authenticate: Basic realm="SOME_IDENTIFIER"');
header('HTTP/1.0 401 Unauthorized');
echo('You are not authorized to access this page.');
//any output here will be displayed after the maximum bad
//attempts for your browser (generally 3)
exit();
}

the rest of the code here for the page.


Is this secure enough to use to protect pages with customer information on it? No CC info or anything like that.

Michael

[jason]

Well, secure is a relative term and nothing you put on a shared server (or any computer connected to the Internet for that matter) can ever considered to be 100% secure.

That said, the code you provided should keep people from accessing that page unless they've logged in, but it depends on how you code the rest of the page to say if it is truely secure. For example, once someone logs in can they only see there own information or is it possible from them to access other users info by changing values in a form or in links? These are all things to consider.

Also, how secure that routine is really depends on how the page is accessed. If you are doing it over standard HTTP then it can't truly be considered secure because it will be sent in clear text. If you are really concerned about security you should access the page over HTTPS.

--Jason

[Vin DSL]

As far as I'm concerned, the only way to make a file secure is to get it out of the web area. I've seen PHP break and all your files are laid bare for the whole world to see, complete with syntax coloring.

[ParksWC]

Hmmm

Here is my code

Code:

<?
if(!$PHP_AUTH_USER || authenticate($HTTP_AUTH_USER, $HTTP_AUTH_PW)==0) {
header('WWW-Authenticate: Basic realm="SOME_IDENTIFIER"');
header('HTTP/1.0 401 Unauthorized');
echo('You are not authorized to access this page.');
echo($HTTP_AUTH_USER.' , '.$HTTP_AUTH_PW);
exit();
}

function authenticate($HTTP_AUTH_USER, $HTTP_AUTH_PW) {
if(($HTTP_AUTH_USER<>"ABC") || ($HTTP_AUTH_PW<>"123")) {
return 0;
} else {
return 1;
}

}

echo "You are in the secure are";

?>

no matter what I put for the username and password it never lets me past.

Also it seems $PHP_AUTH_USER is always set to something.
NOTE: echo($HTTP_AUTH_USER.' , '.$HTTP_AUTH_PW); echos nothing. These variables never seem to be set.

Anyone notice anything?
Thanks
Michael

[ParksWC]

Think I figured this out.


If I replace $HTTP_AUTH_USER with $PHP_AUTH_USER
and $HTTP_AUTH_PW with $PHP_AUTH_PW

it works fine.

Was there a difference in a previousversion or something?

Michael

[jason]

The proper "not equals" operator for php is !=, not <>, so that may be your problem. Also try using $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'].

FWIW, I've never had much luck doing authentication this way. I prefer to just do it with standard HTML forms. Its cleaner looking and much easier to get working.

--Jason

[ParksWC]

we must have posted at almost the same time. See my post above yours.

I originally had != but testing I changed it to <>
I figured this out by doing phpinfo() after the code and searching for the username and password I had typed in.

Mike

[jason]

Congrats on figuring it out. Now that you mention it, I do remember using PHP_* in the past when setting up something similar, but if you were doing this from a CGI script I believe you would use HTTP_*.

--Jason

[ParksWC]

Using a form (as you suggested) the code is like this

Code:

<?
header("Expires: Mon, 25 Jul 1990 05:00:00 GMT");    // Date in the past
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 
                                                     // always modified
header("Cache-Control: no-store, no-cache, must-revalidate");  // HTTP/1.1
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");                          // HTTP/1.0


//Check values
if(!$PHP_AUTH_USER || authenticate($PHP_AUTH_USER, $PHP_AUTH_PW)==0) {

//Failed, send 401
header('HTTP/1.0 401 Unauthorized');

echo "<H2>Forbidden</H2><BR>";
echo "You don't have permission to access this file on this server.<BR><BR>";
echo "Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.<BR><BR>";
echo "--------------------------------------------------------------------------------<BR><BR>";
echo "Apache/1.3.29 Server at www.parkswc.com Port 80<BR><BR>";
$ip=$_SERVER["REMOTE_ADDR"];
echo "Your Logged IP Address:".$ip." >".$PHP_AUTH_USER." <> ".$PHP_AUTH_PW;

//Exit codes
exit();
}

/File, User, Pass check
function authenticate($PHP_AUTH_USER, $PHP_AUTH_PW) {

//Check for user file
if((!file_exists("/home/parkswc/".$PHP_AUTH_USER.".ini")) || (rtrim($PHP_AUTH_USER)!="ABC") || (rtrim($PHP_AUTH_PW)!="123")) {

//Failed, return 0
return 0;
} else {

//Passed, return 1
return 1;
}

//Exit codes, just in case
exit();
}

echo "You are in the secure are";
echo "<A Href='test2.php'>CLICK</A>";
?>

The problem I see is there is no way using the form to carry out a session allowing the user to travel over multiple pages. With the form method the user will have to login to each page?


Michael

[jason]

You cna use PHP sessions to keep track of the login info.

PHP Code:

<?php
    session_start();
    if(isset($_SESSION['user']) && isset($_SESSION['passwd']) {
        //they're already logged in
    }
    elseif(isset($_REQUEST['user']) && isset($_REQUEST['passwd'])) {
        //they're trying to log in
    }
    else {
        //they aren't logged in yet
    }
?>

--Jason