I want to create a log in system using htaccess and htpasswd file and PHP for the server-side code, but when the user logs in I want to be able to identify that user, so how can I know what the user typed in as their username using PHP code (I assume I won't need to know the password if they've managed to access the restricted page)?
Many thanks,
Ben
You just need the following to get the username that is currently in use for an authenticated session:
$_SERVER['PHP_AUTH_USER']
rev1
In light of #Ben's comment I've now found the section in the PHP documentation at HTTP authentication with PHP that explains what's going on:
As of PHP 4.3.0, in order to prevent
someone from writing a script which
reveals the password for a page that
was authenticated through a
traditional external mechanism, the
PHP_AUTH variables will not be set if
external authentication is enabled for
that particular page and safe mode is
enabled. Regardless, REMOTE_USER can
be used to identify the
externally-authenticated user. So, you
can use _SERVER['REMOTE_USER'].
Related
I need a simple solution here... I'm pretty sure this is possible, I just don't know how to set it up.
I need squid to redirect all users to a simple user acceptance agreement before allowing them out to the internet. No username and password, they either accept the agreement and get allowed access, or the don't and get a permission denied page.
I don't want to have anything complicated, lets keep it simple if we can.
I have reviewed this: http://wiki.squid-cache.org/ConfigExamples/Portal/Splash#Portal_Splash_Pages
However its not very clear to me...
Thanks in advance...
From auth_param section in squid.conf file:
Specify the command for the external authenticator. Such a program
reads a line containing "username password" and replies "OK" or "ERR"
in an endless loop. "ERR" responses may optionally be followed by a
error description available as %m in the returned error page.
By default, the basic authentication scheme is not used unless a
program is specified.
There are lots of examples around. This link has an example of a custom squid helper in PHP. It can easily be modified to have a checkbox for agreement iso a username/password authentication.
There is an application that we are using it both on XPiNC and browsers.
Before you can access the application, you must log-in with your user.id from lotus notes. The problem is there are several login msgboxes ( where you must again log in with your username and passwords ) saying:
The server says /xsp/.ibmxspres/dojoroot-1.8.1/dojo.
or
The server says /xsp/.ibmxspres/.mini/dojo/.en-us.
or
The server says /xsp/.ibmxspres/.mini/css.
or
The server says /xsp/.ibmxspres/.extlib/icons.
and so on. Even when I just hit F5 when I'm logged on in application ( there is, also, a computed field which displays the username ) those type of messages are being displayed.
What should I do as a developer? Or there must be some settings at the server?
I have the following ACL rights:
ACL: User type: Person and Access: Manager.
Effective access: all the checkboxes are checked except Full Access Administrator
Thanks for your time!
Ok, this should be straight out of the box ;-)
What I find strange is that the ressources you seem to be asked for access to use are some of the "built in" ressources (Dojo, css, etc.) in XPages...???
So first thing is really to test that this has nothing to do with your application:
Create a new application
Set a proper ACL that will force you to log in (Default reader or higher, a person called "Anonymous" no access)
Create a simple XPage and open it from the browser
What happens?
If everything works, then you need to add some elements that use the ressources (css, Dojo, etc.). Then what happens?
I guess you will see the same problems... If so, you need to have a look at the way you have set up your server for web access. Are you using internet sites? Do you use basic or session based authentication?
What does the ACL of your application look like?
What you experience could be caused by "realms" i.e. the "path" to which you log in. A simple example:
If you are required to log in to access the ressource /path/db.nsf/view/doc1?openDocument then your realm will be "/path/db.nsf/view/" - if then you try to create a document using /path/db.nsf/newDoc.xsp then you could be asked for access to the realm "/path/db.nsf/".
I must admit that I haven't seen these issues for quite a while - but that may be due to the fact that I control access to the database as a whole - if users need access to something inside the database I implement it using "public access". But first, let us hear a little more about your findings before we chase it as a realm issue ;-)
EDIT:
Ok, so you are using basic authentication. There are lots of good reasons to use session based authentication instead. However, that does not explain your problem. What OS are you using? An OS with file access in the file structure? Could it be that the user running Domino does not have access to the ressources? Have any (file) restrictions to these directories been set up? You really should not be prompted to login for these ressources....
Did you try another "new" application?
/John
Switch to session based authentication. The multiple prompts point to BASIC where you can't logout unless you close the browser
My experience is that using .htAccess to password protect a directory, it brings up a modal dialog box. And for some browsers (FF and Chrome) don't show the checkbox for "remember" this password.
Is there a way to that a password protect a directory and have the user fill in the username and password within the web page?
Or, is there a way to force the browser to remember that password?
tl;dr: No.
We are talking about something called Basic Authentication.
Unfortunately, these things are features of the browser, and cannot be controlled from the server side. Some browsers have the ability to remember your password forever (usually in the form of a "remember my password" checkbox). It is debatable whether this is a good idea, but at least the user makes the call; forcing this choice from the server side is really a bad idea and I don't think any browser would allow that. Why? The user probably don't want to store his credentials if using a shared device (for example, in a public library).
That said, using an Apache .htaccess file is not the only way to do basic authentication. Using any dinamic content framework (PHP, ASP, etc), you can store a session cookie after the user has authenticated and only send the 401 response and basic authentication headers if the user has no authentication cookie. Since you talk about .htaccess, I assume you are on a LAMP stack; take a look at:
Basic authentication: http://php.net/manual/en/features.http-auth.php
Sessions: http://www.php.net/manual/en/book.session.php
I would like to enable my users (who are already authenticated in my application) to automatically log into their Cpanel accounts through API.
If I know the password of the specific account, then it will be no problem. However, I do not think that I can retrieve the password of any account? If I can, please tell me which API function to use? If not, what can I do to achieve what I want?
Thanks
Elcin
It looks like cPanel has a method for providing secure remote logins as documented here: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecureRemoteLogins
You can find the source for it in /usr/local/cpanel/Cpanel/LogMeIn.pm
I have a PHP implementation of LogMeIn.pm ready to go (easy to understand and port to any other language) but I'm clearing it with the legal folks over at cPanel before I share it.
After speaking with cPanel's VP of Operations, LogMeIn.pm is now dual-licensed allowing modification and use elsewhere as long as a copyright and license notice stays intact.
My PHP port can be found here: https://gist.github.com/4440574 I decided to implement it as a static class to closely resemble the original but you can very easily turn it into a procedural function.
Using it is as easy as
LogMeIn::getLoggedInUrl('username', 'password', 'example.com', 'cpanel');
which will return false on failure, and on success a string with a URL that will log the user in.
If you're running PHP 5.3.0 or greater you can add this to a cPanel namespace (add namespace cPanel; on the line after <?php) to keep it from conflicting with anything in your application that you've already written (or will write).
I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn't achieve it. I gave all(text, password and hidden fields) the form fields' values including the ticket generated by Central Authentication System. But nothing happens. Either there isn't any security issue behind the login page ( :P ), or I couldn't login to the page (100% possibility :D ). For extra info:
These are login fields. ;)
username=
&password=
<=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login
Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?
Thanks in advance. ;)
I had similar problems; can't speak for you, but sounds like you have about as much website knowledge as I do (which ain't much!) - no offense intended. In my case I'm not sure I'm understanding the most most basic structural elements of the website, such as what URL to point the scan at, and then concatenating that correctly with the login pages in the policy. I'm far better at the network and infrastructure penetration testing :D
I did a search in a search engine for "Nessus HTTP cookie import", and found that Tenable discussed this on their podcast, episode 14:
http://blog.tenablesecurity.com/2009/11/tenable-network-security-podcast---episode-14.html
If you look at the "Stories" note on the above web page, there's a hint to use the "Export Cookies" Firefox add-on. The add-on has some guidance, but essentially:
Install the add-on to your browser (I'm using the OWASP Mantra browser; I urge you to look at it)
Restart your browser
Login into the subject website and authenticate
From the Tools menu, go for "Export Cookies"
Save to file, and point your Nessus scan policy at that file
NOTE: I'm still trying this now, but thought I'd post the possibility anyway in case I forget - I will update this thread with a confirm or deny shortly.
Best of luck!
UPDATE: Well, it didn't work for me on first attempt. I'm confirming I don't have any conflicting or superseding settings in the policy, but if that doesn't work it's on to Tenable Support, I fear...
According to the documentation, besides importing cookies, the other way to do it (currently at 7.0) is:
Create new scan
Web Application Tests
Credentials:
which are filled out like these (taken from documentation):
Username: Login user’s name.
Password: Password of the user specified.
Login page: The absolute path to the login page of the application, e.g., /login.html
Login submission page: The action parameter for the form method. For example, the login form for: <form method="POST" name="auth_form" action="/login.php"> would be: /login.php
Login parameters: Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This field can be used to provide
more than two parameters if required (e.g., a group name or some other piece of information is required for the authentication process).
Check authentication on page: The absolute path of a protected web page that requires authentication, to better assist Nessus in determining authentication status, e.g., /admin.html.
Regex to verify successful authentication: A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful
However, looking at the reports, in my case, it couldn't authenticate for some reason