Welcome to Geeklog, Anonymous Tuesday, October 15 2024 @ 09:01 pm EDT
Geeklog Forums
Logging in with HTTP authorization
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
HTTP authentication, for those not familiar with the term, is what happens when your browser asks you for a username and password before it even displays the page you're about to visit. It's a webserver feature often used to password-protect directories. On an Apache webserver, you would use a .htaccess and a htpasswd file to accomplish this.
So say you have password-protected your entire Geeklog site. So now in order to log into your Geeklog site, you have to enter a username and password twice - once for the HTTP authentication and then again to log into Geeklog.
Wouldn't it be nice if Geeklog would accept the username and password from the HTTP authentication dialog and log you into your Geeklog site automatically? That's what this hack is about.
Without further ado, here's the code (but check the comments below before you actually use it). This goes into your system/lib-sessions.php file, near the end of function SESS_sessionCheck(), around line 195 in the version that ships with Geeklog 1.4.0sr5-1:
if (!empty ($_SERVER['PHP_AUTH_USER']) && !empty ($_SERVER['PHP_AUTH_PW'])) {
$username = COM_applyFilter ($_SERVER['PHP_AUTH_USER']);
if (!empty ($username)) {
$username = addslashes ($username);
$passwd = addslashes (md5 ($_SERVER['PHP_AUTH_PW']));
$userid = DB_getItem ($_TABLES['users'], 'uid',
"username = '$username' AND passwd = '$passwd'");
if ($userid > 1) {
SEC_checkUserStatus ($userid);
// Create new session and write cookie $sessid = SESS_newSession ($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']); SESS_setSessionCookie ($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
$userdata = SESS_getUserDataFromId ($userid);
$_USER = $userdata;
$_USER['auto_login'] = true;
}
}
}
}
if ($_SESS_VERBOSE) {
COM_errorLog("***Leaving SESS_sessionCheck***",1);
}
The last three lines are for your reference only - they are already there in that function.
In order for this to work, you will have to keep your htpasswd file in sync with the Geeklog database, i.e. every user will have to exist - with the same username and password - in that file and in Geeklog's database. How to accomplish this is outside of the scope of this hack ...
There is one small but possibly annoying problem with this hack: You can't log out.
Traditionally, browsers keep the login data for the HTTP authentication around for the duration of the browser session (i.e. until you close the browser). So when you attempt to log out and Geeklog reloads the page, your browser sends the login credentials again and you're immediately logged into your site again.
You can find lengthy discussions about this problem (e.g. in the PHP manual) and there are numerous workarounds, but there is no proper way around that problem that is guaranteed to work with all browsers (I even found a Firefox extension to clear out your HTTP authentication data).
I was originally looking into adding this to the Geeklog core code, but because of the logout problem I've set this aside and decided to post it as a hack instead. Maybe someone can come up with a good workaround (mine were too ugly: a) hide the logout link to at least make it obvious or b) set a cookie - valid until the end of the browser session - to signal that we've already logged out and ignore the HTTP authentication data when it exists).
So say you have password-protected your entire Geeklog site. So now in order to log into your Geeklog site, you have to enter a username and password twice - once for the HTTP authentication and then again to log into Geeklog.
Wouldn't it be nice if Geeklog would accept the username and password from the HTTP authentication dialog and log you into your Geeklog site automatically? That's what this hack is about.
Without further ado, here's the code (but check the comments below before you actually use it). This goes into your system/lib-sessions.php file, near the end of function SESS_sessionCheck(), around line 195 in the version that ships with Geeklog 1.4.0sr5-1:
Text Formatted Code
if (!isset ($_USER['uid']) || ($_USER['uid'] == 1)) {if (!empty ($_SERVER['PHP_AUTH_USER']) && !empty ($_SERVER['PHP_AUTH_PW'])) {
$username = COM_applyFilter ($_SERVER['PHP_AUTH_USER']);
if (!empty ($username)) {
$username = addslashes ($username);
$passwd = addslashes (md5 ($_SERVER['PHP_AUTH_PW']));
$userid = DB_getItem ($_TABLES['users'], 'uid',
"username = '$username' AND passwd = '$passwd'");
if ($userid > 1) {
SEC_checkUserStatus ($userid);
// Create new session and write cookie $sessid = SESS_newSession ($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']); SESS_setSessionCookie ($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
$userdata = SESS_getUserDataFromId ($userid);
$_USER = $userdata;
$_USER['auto_login'] = true;
}
}
}
}
if ($_SESS_VERBOSE) {
COM_errorLog("***Leaving SESS_sessionCheck***",1);
}
The last three lines are for your reference only - they are already there in that function.
In order for this to work, you will have to keep your htpasswd file in sync with the Geeklog database, i.e. every user will have to exist - with the same username and password - in that file and in Geeklog's database. How to accomplish this is outside of the scope of this hack ...
There is one small but possibly annoying problem with this hack: You can't log out.
Traditionally, browsers keep the login data for the HTTP authentication around for the duration of the browser session (i.e. until you close the browser). So when you attempt to log out and Geeklog reloads the page, your browser sends the login credentials again and you're immediately logged into your site again.
You can find lengthy discussions about this problem (e.g. in the PHP manual) and there are numerous workarounds, but there is no proper way around that problem that is guaranteed to work with all browsers (I even found a Firefox extension to clear out your HTTP authentication data).
I was originally looking into adding this to the Geeklog core code, but because of the logout problem I've set this aside and decided to post it as a hack instead. Maybe someone can come up with a good workaround (mine were too ugly: a) hide the logout link to at least make it obvious or b) set a cookie - valid until the end of the browser session - to signal that we've already logged out and ignore the HTTP authentication data when it exists).
8
7
Quote
All times are EDT. The time is now 09:01 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content