There is a simple way to password protect a website directory using htacess and htpasswd files. More here: https://css-tricks.com/easily-password-protect-a-website-or-subdirectory/
But when it asks the user for a password it does so using a popup dialogue box at the browser level, see below:
Is is possible to communicate w the server via PHP so as to embed this interaction (i.e. requesting a username and password that works using the aforementioned technique) directly into a web page? If so, how would one go about this?
The "htaccess technique" uses a feature of the HTTP protocol, which is embedded HTTP authentication. This is a standardised protocol, which browsers implement with a standardised UI. You cannot change that UI. If you want a regular "in-page authentication" with a login form etc, you need to implement it entirely yourself using sessions and a custom HTML form.
That popup is provided by Apache (or installed webserver) to manage authentication on the first level. That allows you to be authenticated in all the webserver.
Authentication in PHP is only (by default) a webpage login.
The Server Authentication is locking, because if you don't have the username you cant do anything.
The PHP Authentication is configurable by you in all senses.
Both authentications are correct, but they are used for different things.
Related
I have main PHP website and a Redmine app. When a user logged in to my website, new tab will pop-up and open the Redmine and login using the username and password that the user entered on the main website. Or if it is not possible to auto login from my main website to Redmine, is it possible to just have a default value on the username field and password field from the ones that the user also inputted on the main website?
I'm still noob on configuring Redmine and Ruby on Rails, so please bear with me :(
Edit: The main website and the Redmine website will be a system for our group only so I think security will not be a major issue. Also they won't be going online and will be operating through the intranet only.
You asked:
is it possible to modify redmine login page? To have it get variables on url? So I can just open a new window like this: redmine/login?user=user&pass=pass.
Hopefully not. If Redmine is built well (and I'd be reasonably sure it is) then it will only accept user credentials in a post operation, so as to avoid passwords being recorded via the URL in browsers, proxy servers and web servers. It would be poor security practice to attempt to log on this way, or for Redmine to permit you to do so.
One of the approaches I was suggesting in my earlier comment was for your PHP application to become a proxy for Redmine operations. There's two sub-categories here:
Use a programmatic browser component to carry out form operations in Redmine by visiting pages, clicking buttons, submitting forms etc. This is the "screen scraper" approach, but can be quite reliable since presumably Redmine does not change its HTML layout very often. Thus, the cookies you would normally have in your browser would be stored on the server instead.
Use an API built into Redmine. I guess there's not one as standard, but I found this one. I've not used it, so you'd need to test its suitability.
In either approach, you would not use Redmine directly at all: you would build the Redmine features you need into your PHP application, using forms to accept relevant user input, and rendering to the screen the output your server has received from Redmine.
This would work, but bear in mind that it's not a trivial project, either in terms of its size or complexity. If you are after a simpler alternative, then the browser password store is an option, but it won't log users on automatically, nor automatically discover the username you are logged on as in your PHP application.
This is a two part question.
The first question is. I am looking for a way to shield my php pages using one of these generic login boxes that appear without a real page / html form. Like this box here. What is the name of this? How is it done?
The second is. I want to CRON to visit this password page, and kick off a php script.
The dialog shows up for HTTP "Basic" or "Digest" authentication. This should not be used for anything serious. The "Basic" authentication sends passwords in the clear to the server. "Digest" is somewhat better, but there is no way for a user to detect whether the password he's supplying will be used for Basic or Digest (it might not even be clear to the user whether he's authenticating with an HTTP or HTTPS server).
Finally, most browsers offer only very obscure ways to clear a password for these authentication methods once it has been typed in. There is no way for the website itself to force a "log out" purge. So users who need to use shared/public computers will not be able to log out afterwards.
http://php.net/manual/en/features.http-auth.php
It sounds like you're referring to basic HTTP authentication.
If you're using the Apache webserver, use this documentation to help you set it up.
In general, URIs may contain authentication details and HTTP will accept these.
Form your URL like:
http://<username>:<password>#hostname/path
You may be better-off using CodeIgniter's built-in authentication facilities.
This is called HTTP Basic Authentication. Basic authentication can be invoked through PHP (as Timur suggested), or through Apache.
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require user thomasreggi
As for the second part, you can use cron with wget or make cron run your php curl script. Here's a question which shows how to do this.
I am creating a website with multiple sections--admin, client, user, and anonymous--each user group having less access then the next. I am wondering what form of authentication would be best for my use?
I have heard the if you are just dealing with a websites then a web form is for you (because it's prettier). HTTP header authentication with PHP is said to get clunky/sloppy. htAcess is pretty much the hard core of various authentication methods I have looked up, but is it too much?
You're confusing things.
Your three options are basically two:
Use HTTP authentication
Do not use HTTP authentication
Whether it's handled by an .htaccess file or not is another matter. You can do HTTP authentication with Apache and PHP, and you can do non-HTTP authentication with Apache and PHP (though usually you do non-HTTP auth with PHP and HTTP auth with Apache).
Apache can defer the authentication to several backend and frontend modules (e.g. you can use CAS). Apache provides out-of-the-box (no dated sourceforge module...) for the following database backends: FreeTDS, MySQL, Oracle, PostgreSQL, SQLite 2/3 and an ODBC connector.
Personally, I dislike HTTP authentication. Usually a form will is more user friendly and you can provide links such as "Forgot your password?" and "Username not found".
I'd also go with implementing the authentication in PHP, because it's more portable (you can swap the web server).
Go for the form (a session really).
Nowadays it's the only option.
First off, for your application you should go for the simpler login form / session method. Because you want in-application user groups, it's only senseful to also use in-application authentication. Technically for the permission system it makes no difference which auth method is used. But you know, for simplicity and keeping all authorization stuff together...
The hatred against HTTP authentication is misgued, btw. It's the stronger authentication method, if you use HTTP Digest; which OTH is difficult to implement in PHP.
It's a usability nightmare only if you do it wrong. Practically a HTTP logon can be initiated with a login form as well. Using XMLHttpRequest can successfully trigger HTTP Authentication. And with a little more work (401 and new realm), pretty logouts are possible too. If no Javascript is enabled it falls back on the boring login dialog / readline obviously. But I've personally used a text-only browser for a while, and I tended to like that more.
Also, if your admin group is serious business (raw database access tools etc.), you should apply both methods. Make the admin interface separate from the application, apply login form and .htaccess restrictions. Better safe than sorry.
I'm making a members area for my site and I have it already running. I authenticate members using mysql and php and this works really well.
But now problems occurs, I would like to offer members a possibility to upload files to the systems, and those files should be available ONLY to logged in members.
I know I could store those files to a database or even in a filesystem and serve them throught php, BUT this will get very heavy for the server when members upload bigger files. Those files might be even 20MB or even bigger.
I would like to let apache serve the files, but just need to find a way to automatically do the http authentication, so users wouldn't need to log in twice. I suppose it is ok to make this http authentication behind one username and password, something like when a user logs in to the php and mysql authentication, transparently at the same time javascript etc. would do that http authentication also, every member would do the http authentication with the same credentials. Of course I wouldn't want to store those http auth credentials in a javascript file, but something ajax like solution maybe would do the trick. I'm just not sure how to do this.
It seems like you are confusing authentication (where you provide some way to login) with HTTP authentication (where you specifically use the HTTP protocol to authenticate, and the browser shows a popup to the user).
You probably want the former so you can style the login page. In that case you'll have to use PHP or some scripting langauge to check that the user is logged in. fpassthru or readfile can be good solutions for some web sites; they're fast and optimised for this type of work.
If you really want to do the file handling work in the web browser and not in PHP, one solution can be to create unique, short-lived filenames. You can for example create hard links to the file in PHP using link and then redirect the user to the temporary filename. Store the hard links in a database and remove them after a short while.
Check out Using PHP/Apache to restrict access to static files (html, css, img, etc). I think the approach taken there is pretty similar to your problem.
I have created some PHP-based intranet resources that require users to log in. The users create their own logins, and I verify that they are logged in using a cookie.
I've been asked if I can tie that login to their Windows login instead. My initial response was "a web page cannot access your Windows login - that would be a security risk." But one of our departments uses Sharepoint, and it does in fact tie itself to the Windows login.
How is that done? Can I do it in PHP? If so, why is it not a horrible security hole?
What you are looking for is NTLM authentication against the PHP website, which is perfectly doable but seems there is no single way in PHP to do it.
Have a look at http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
You also need to add the sites to your trusted sites in IE (or the equivalent in whichever browser you are using) and in the settings for trusted sites, turn on 'send current username and password'.
Its not a horrible security hole because the credentials are not sent en clair over the wire, and the end user has specifically told the browser to send credentials to the website in question.
PHP has LDAP support, so you can access Windows' Active Directory
There is this project on SourceForge:
adLDAP - "LDAP Authentication with PHP for Active Directory"
Often times this is done using a combination of LDAP and NTLM. Browsers like IE and Firefox can do NTLM authentication, which I believe is how Sharepoint works. I run a Java-based portal application that uses LDAP for syncing users and NTLM for authentication.
What you absolutely do not want to do is have the user enter their domain username and password into the browser. In years past I've seen several projects using this approach with LDAP to authenticate Windows users. You're correct, it is a security concern. The user should enter his or her password only once: when logging in to the workstation. The last thing you want are passwords sitting around in cache / temp files.
I apologize that I can not provide a "here's how you do it with a PHP app" answer. As far as I know, there is no one answer to this problem.
(One thing I have done in the past, and I never really checked to see if it was valid or poor form, was to use PHP from IIS. If you're using IIS, then PHP will populate the server variable REMOTE_USER with the Windows user's username (DOMAIN\user). It worked for what I was doing at the time.)