From 2bfe7a1ffe730d653c1a27072acb56365be2309e Mon Sep 17 00:00:00 2001 From: Harvie Date: Wed, 1 Dec 2010 19:45:32 +0100 Subject: [PATCH] Handle basic HTTP auth using PHP instead of using webserver configuration = better portability and security --- wwwroot/config/config_default.inc | 8 ++++ wwwroot/inc/http_auth.php | 78 +++++++++++++++++++++++++++++++ wwwroot/nodes.php | 4 +- 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 wwwroot/inc/http_auth.php diff --git a/wwwroot/config/config_default.inc b/wwwroot/config/config_default.inc index d74c993..aa21caf 100644 --- a/wwwroot/config/config_default.inc +++ b/wwwroot/config/config_default.inc @@ -15,6 +15,14 @@ define('CONFIG_DIR', SYSTEM_ROOT . 'config/'); define('AJAX_DIR', SYSTEM_ROOT . 'wwwroot/ajax/'); define('INCLUDE_DIR', SYSTEM_ROOT . 'wwwroot/inc/'); +/* +//Uncomment this to enable Basic HTTP Auth: +$realm = 'kyberia'; //This is used by browser to identify protected area and saving passwords (one_site+one_realm==one_user+one_password) +$users = array( //You can specify multiple users in this array + 'kyberia' => 'passw' +); +*/ + define('SMARTY_DIR', SYSTEM_ROOT . 'wwwroot/smarty/libs/'); define('SMARTY_PLUGIN_DIR', SYSTEM_ROOT . 'wwwroot/inc/smarty/node_methodz/'); define('TEMPLATE_DIR', SYSTEM_DATA . 'templates/'); diff --git a/wwwroot/inc/http_auth.php b/wwwroot/inc/http_auth.php new file mode 100644 index 0000000..18b6c78 --- /dev/null +++ b/wwwroot/inc/http_auth.php @@ -0,0 +1,78 @@ + 'passw' +);*/ +//Misc +$require_login = true; //Require login? (if false, no login needed) - WARNING!!! +$location = '401'; //Location after logout - 401 = default logout page (can be overridden by ?logout=[LOCATION]) +//CopyLeft +$ver = '2o1o-3.9'; +$link = 'blog.harvie.cz'; +$banner = "Harvie's PHP HTTP-Auth script (v$ver)"; +$hbanner = "
$banner\n-\n$link\n"; +$cbanner = "\n"; +//Config file +@include('./_config.php'); +///////////////////////////////////////////////////////////////////////////////////////////////////////////////// +//MANUAL///////////////////////////////////////////////////////////////////////////////////////////////////////// +/* HOWTO + * To each file, you want to lock add this line (at begin of first line - Header-safe): + * //Password Protection 8') + * Protected file have to be php script (if it's html, simply rename it to .php) + * Server needs to have PHP as module (not CGI). + * You need HTTP Basic auth enabled on server and php. + */ +///////////////////////////////////////////////////////////////////////////////////////////////////////////////// +////CODE///////////////////////////////////////////////////////////////////////////////////////////////////////// + function send_auth_headers($realm='') { + Header('WWW-Authenticate: Basic realm="'.$realm.'"'); + Header('HTTP/1.0 401 Unauthorized'); + } + + function check_auth($PHP_AUTH_USER, $PHP_AUTH_PW) { //Check if login is succesfull (U can modify this to use DB, or anything else) + return (isset($GLOBALS['users'][$PHP_AUTH_USER]) && ($GLOBALS['users'][$PHP_AUTH_USER] == $PHP_AUTH_PW)); + } + + function unauth() { //Do this when login fails + $cbanner = $GLOBALS['cbanner']; + $hbanner = $GLOBALS['hbanner']; + die("$cbanner401 - Forbidden\n

401 - Forbidden

\nLogin...\n$hbanner"); //Show warning and die + die(); //Don't forget!!! + } + +//Backward compatibility +if(isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_PW'] != '') $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER']; +if(isset($_SERVER['PHP_AUTH_PW']) && $_SERVER['PHP_AUTH_PW'] != '') $PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW']; + +//Logout +if(isset($_GET['logout'])) { //script.php?logout + if(isset($PHP_AUTH_USER) || isset($PHP_AUTH_PW)) { + Header('WWW-Authenticate: Basic realm="'.$realm.'"'); + Header('HTTP/1.0 401 Unauthorized'); + } else { + if($_GET['logout'] != '') $location = $_GET['logout']; + if(trim($location) != '401') Header('Location: '.$location); + die("$cbanner401 - Log out successfull\n

401 - Log out successfull

\nContinue...\n$hbanner"); + } +} + +if($require_login) { + if(!isset($PHP_AUTH_USER)) { //Storno or first visit of page + send_auth_headers($realm); + unauth(); + } else { //Login sent + + if (check_auth($PHP_AUTH_USER, $PHP_AUTH_PW)) { //Login succesfull - probably do nothing + } else { //Bad login + send_auth_headers($realm); + unauth(); + } + + } +} +//Rest of file will be displayed only if login is correct diff --git a/wwwroot/nodes.php b/wwwroot/nodes.php index 2070296..9da9953 100644 --- a/wwwroot/nodes.php +++ b/wwwroot/nodes.php @@ -1,4 +1,6 @@ "); var_dump(preg_split('/\//', $_SERVER['PATH_INFO'])); die(); //PATH_INFO Debug (usefull when messing with mod_rewrite) // output buffering forcing (mx) if (!empty($_POST['FORCE_OB']) && $_POST['FORCE_OB'] == 'true') ob_start(); @@ -74,8 +76,6 @@ if( if(isset($_GET['node_kid'])) $_GET['node_id'] = base_convert($_GET['node_kid'], 36, 10); if(isset($_GET['template_kid'])) $_GET['template_id'] = base_convert($_GET['template_kid'], 36, 10); -//requiring main config file with path/database etc. constants -require('config/config.inc'); require(INCLUDE_DIR.'senate.inc'); if (isset($_SERVER['HTTP_REFERER'])) { -- 2.30.2