Board index » .htaccess file Help » Security and Authentication

All times are UTC [ DST ]

Elite .htpasswd Basic Authentication + Logging with Php

Page 1 of 1

[ 3 posts ]

Print view

Previous topic | Next topic

Author

Message

htaccess

Post subject: Elite .htpasswd Basic Authentication + logging with PHP

Posted: 27 Jan 2008 04:42

Joined: 28 Feb 2007 17:16
Posts: 40

Tested for DreamHost Apache 2 running php-cgi.

Process Request

Code:

client -> GET /
server -> set REMOTE_USER=user
          set REDIRECT_REMOTE_USER=REMOTE_USER if 401 errordocument
          show errordocument 401 if invalid user/pass
          errordocument 401 requests user pass with "Authorization Required"
          401 sends Header- 'WWW-Authenticate: Basic ream="AskApachePass"'       
client -> GET / 
          send username and password with 
          Header- 'Authorization: Basic (base64_encoded username:password)'         
server -> (repeats until authorized)

2 .htaccess tricks required
1. a custom 401 ErrorDocument specifying a php file (logger).
2. pass along the clients username using mod_rewrite.

Code:

.htaccess

ErrorDocument 401 /log-htpasswd.php

# BEGIN AskApache Password Protect
AuthName "AskApachePass"
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
# END AskApache Password Protect

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

log-htpasswd.php

Code:

<?php
define('LOGINS_LOG','/home/user/log-htpasswd.log');

if(isset($_ENV['REDIRECT_REMOTE_USER']) && !empty($_ENV['REDIRECT_REMOTE_USER'])){
 $fp = fopen(LOGINS_LOG, 'a ');
 fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']);
 fclose($fp);
}

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>';
exit;
exit();
?>

example log-htpasswd.log
just a list of usernames attempted

username1
tom
rcowen
askapache
dreamhost
dreamadmin

All you need to do now is add mysql commands to log-htpasswd.php... And you should tighten the security for log-htpasswd.php to only allow from from server for redirects to secure against crackers and hackers. more .htaccess tricks

Top

ti89

Post subject:

Posted: 27 Jan 2008 04:44

Joined: 28 Oct 2006 07:37
Posts: 44

So I'm not sure what's different in my environment but this does not work....

first I had to change /.htpasswd to the full path or I couldn't even log in.

I checked my log file path etc, even made it all 777's, and then just tried writing "test" in it, nothing...
Made a copy of the log-htpasswd.php and pulled the if and other stuff out, it did write to the "test" to the file only no user.

I don't know, this is what is driving a bit nuts. I agree this should work.

Top

htaccess

Post subject:

Posted: 27 Jan 2008 04:47

Joined: 28 Feb 2007 17:16
Posts: 40

No worries Sorcerer~

I forget that my environment is different than the default, I have a lot of optimized stuff going on. My guess is that its a php issue.

First, the .htpasswd thing was my fault, indeed you will need to change to be the full path like /home/user/.htpasswd

Next configure your domain to use the php5.cgi

1. cd to your domain root

cd /home/user/domain.com

2. make a cgi-bin folder

mkdir -p /home/user/domain.com/cgi-bin; chmod 755 /home/user/domain.com/cgi-bin

3. copy the php5.cgi

cp -p /dh/cgi-system/php5.cgi /home/user/domain.com/cgi-bin

4. add this to your /home/user/domain.com/.htaccess

Code:

AddHandler php-cgi .php
Action php-cgi /cgi-bin/php5.cgi

Now that you have php5, it should work.

Ultimate debug:

1. create a file called login.php in /home/user/domain.com/cgi-bin/login.php and make a copy at /home/user/domain.com/logins.php
2. the contents of login.php, change the IP to yours

Code:

<?php
define('LOGINS_LOG','/home/user/logins.log');

$fp = fopen(LOGINS_LOG, 'a+');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']."\n");
fclose($fp);

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>';
if($_SERVER['REMOTE_ADDR'] !== '208.113.183.103') die();
echo '<pre>';
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
print_r($_ENV);
print_r($_SERVER);
exit;
exit();
?>

3. Add this to your /home/user/domain.com/.htaccess

Code:

ErrorDocument 401 /logins.php

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$ [OR]
RewriteCond %{REQUEST_URI} ^/.*login*\.php$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

<Files login.php>
AuthName "Protection"
AuthUserFile /home/user/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Files>

Now goto your web browser and request http://site.com/cgi-bin/login.php and try entering the wrong password, hitting cancel, entering the correct password, etc.

Besides also showing you the decrypted password, it will show you everything you need to know. Let me know how it goes.

Top

Page 1 of 1

[ 3 posts ]

Board index » .htaccess file Help » Security and Authentication

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum