Until Microsoft released their security update to IE, I used an html form for the user to input his/her username/password which was passed to ‘username
assword@The IE patch now restricts
When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form.
I’m very close to getting this working, but I don’t understand how the
$auth = false or true get’s passed.
Could it be the <LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change?
Or is something else missing from my .htaccess file?
Do I need something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?
I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue.
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
************************************************
My auth.php file looks like this ….
************************************************
<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( ' Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?>
************************************************
My .htaccess file looks like this….
************************************************
AuthType Basic
AuthName "Domain Login"
AuthGroupFile /dev/null/
php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php"
<LIMIT GET POST PUT>
require valid-user
</LIMIT>
************************************************
assword@The IE patch now restricts When AuthUserFile is in my .htaccess file and I try to access a restricted file, the browser brings up a login popup and I can gain access.
My goal is to login through my html form.
I’m very close to getting this working, but I don’t understand how the
$auth = false or true get’s passed.
Could it be the <LIMIT GET POST PUT> require valid-user</LIMIT> in the .htaccess needs to change?
Or is something else missing from my .htaccess file?
Do I need something like auth($_SESSION[‘user’], $_SESSION[‘pass’]) in the .htaccess file?
I hope this thread helps other people with this problem. I’ve Googled the heck out of this issue.
I’ve added my auth.php and .htaccess files below.
I feel that I’m so close, but can’t get passed the finish line.
Also, my DB is Apache.
************************************************
My auth.php file looks like this ….
************************************************
<?php
session_start();
$PHP_AUTH_USER = $_POST['username'];
$PHP_AUTH_PW = $_POST['password'];
if (!isset($PHP_AUTH_USER)) $PHP_AUTH_USER = $_COOKIE['username'];
if (!isset($PHP_AUTH_PW)) $PHP_AUTH_PW = $_COOKIE['password'];
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
// Read the entire file into the variable $file_contents
$filename = '/usr/local/zeus/web_roots/main/domain.com/cgi-bin/pa/passwordfile.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode ( "\n", $file_contents );
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ( $lines as $line ) {
list( $username, $password ) = explode( ':', $line );
if ( $username == "$PHP_AUTH_USER" ) {
// Get the salt from $password. It is always the first
// two characters of a DES-encrypted string.
$salt = substr( $password , 0 , 2 );
// Encrypt $PHP_AUTH_PW based on $salt
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == "$enc_pw" ) {
// A match is found, meaning the user is authenticated.
// Stop the search.
$auth = true;
setcookie('username',$PHP_AUTH_USER,time()+360
00);
setcookie('password',$PHP_AUTH_PW,time()+36000
);
break;
}
}
}
}
if ( ! $auth ) {
header( ' Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( 'Location:first.htm' );
}
?>
************************************************
My .htaccess file looks like this….
************************************************
AuthType Basic
AuthName "Domain Login"
AuthGroupFile /dev/null/
php_value auto_prepend_file "/usr/local/zeus/web_roots/main/domainname.com/auth.php"
<LIMIT GET POST PUT>
require valid-user
</LIMIT>
************************************************