PHP security(user auth)

PHP security(user auth)

Posted by: lock
Posted on: 2006-02-14 19:31:00

Im setting up a php website where I need the user to log in, then I need tp pass that user id amoung pages(assuming its a valid user). I started with a basic script using the php_auth vairables but Im having no luck. Anyone done this on Dreamhost?

<?php

if ((!isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))) {

header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

echo "You entered $PHP_AUTH_USER for a username.<BR>";
echo "You entered $PHP_AUTH_PW for a password.<BR>";

}

?>

Re: PHP security(user auth)

Posted by: Ryo-ohki
Posted on: 2006-02-14 20:30:00

I am not a coder, so I can't help you out there. But what I can advise is to not re-invent the wheel. I don't know what kind of website you have, but if it's going to be a community-driven one you should use a content management system. It has that sort of thing by default. DH provides one called joomla in the one-click install section. If you want to see what it looks like before you install it, http://opensourcecms.com has it in their live demo section under portals.

The Insane Cabbit
My Blog http://www.sounanda.com
My web store:
http://www.marciesgifts.com
Send me a pm if you want cms or forum software installed (for a fee)

Re: PHP security(user auth)

Posted by: silkrooster
Posted on: 2006-02-14 20:35:00

Don't know a whole lot about it, but I did read that authentication requires php to be run as a module instead of cgi.
If you require cgi, then create the password and user fields yourself.
As it is nothing more than a simple form.

Edit: Attached is a copy of a password form I have been working on. This test if B1 or B2 submit button has been pressed. As the rest of the program will reload the whole page if either button is pressed and if they have permission to press those buttons, then they have no reason to enter the username or password again. The reason for $protect is to give the owner an option to enable/disable password protection in a config file.

if (($_POST['B2']==true) or ($_POST['B1']==true)){ 
$protect=0;
}
if ($protect=='1') {
if ($_POST['B3']==false) { 
print <<< LOGIN
<div class="login">
<p class="warn">PASSWORD PROTECTED - Please type in your username and password</p>
<form method="post" action="{$_SERVER['PHP_SELF']}">
<p>Username: <input type="text" name="username">

Password: <input type="text" name="password"></p>
<p class="button"><input type="Submit" value="log in" name="B3"></p>
</form>
</div>
LOGIN;
}
if (($_POST['username']!=$user) or ($_POST['password']!=$pass)) {
	if ($_POST['B3']==true) { 
	print "Incorrect user name or password ( Use your browsers back button to try again)";
}
exit;
}
}

Silk

Edited by silkrooster on 02/14/06 08:49 PM (server time).

Tags: php websitedreamhostassumingluck