Re: Re: Secure pages

if you are using apache web server you can try the .htaccess method. I am
not too familar with it. I am trying to learn it myself, but from what i
gather, you put a file called .htaccess in the dir where your web page is.
the .htaccess file contains a path to the a file where all the user names
and passwords are stored. whenever this dir is accessed, a window pops up
asking for a user id and password.

If anyone has more info on this, please pass it on. I am looking into
using this as well. What i am looking to do is create a web based ftp
application. Where users log into a web screen and can ftp files to the
server into a certain directory own by them. I am storing the file paths
and descriptions in a postgresql db and using php for the ftp process. Can
I use .htaccess with this? Can I have someone log into the web page using
.htaccess and passing their user id and password into a cookie or variable
so i will know who they are and they don't have to re-type this when they
ftp the file.

Any help would be great.
Thanks,
Tim.

Paul Joseph McGee <mcgee(at)student(dot)cs(dot)ucc(dot)ie>@postgresql.org on 03/13/2001
12:20:57 PM

Sent by: pgsql-php-owner(at)postgresql(dot)org

To: pgsql-php(at)postgresql(dot)org
cc:

Subject: Secure pages

Hi everybody,
i have a user login authentication sysytem on my machine here where users
may view pages but to do other things the user must login. the login
scripts seem to work ok and are based on a "Secure Authentication System"
from www.phpbuilder.com. Basically the page where i want people to arrive
at upon logging in is at present viewable by anyone who puts the proper
url into their browser. how do i keep this and other pages secure from
people who havent logged in?
Thanks,
Paul

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

You can do it with a .htaccess file, but why? You've got a very powerful
scripting language to work with...

I do it through a normal html form. Here's how I do it:

1) My login form and logic is all contained within an include file. That way,
I can include it within any page I feel should be password protected and it
automatically does everything.

2) The form action is left blank so that it will simply reload the same page
and take them to the page (and QUERY_STRING [GET] variables) they originally
intended.

3) The form contains a hidden input tag that is the controling variable.

4) I have an if statement within the login.inc.php file that checks to see if
the control variable is set... if it is, I check the login information against
my authentication scheme (usually a database).

5) If the login info is correct, then set cookies indicating that it's good
and let the page load rather than displaying the login box again. If the
login is invalid, display unset your control variable and let the login screen
load again. Of course, you should also display some type of message indicating
that the login failed.

6) Next time they hit the page where the login.inc.php file is included, it
checks the cookies to see if they have already logged in... if so... let them
by without displaying the login screen.

7) Summary of logic:
a) Check to see if "logged in" cookie exists... if so, let them through
b) If cookie doesn't exist, check if control variable (passed from HTML form)
isset
c) If control variable set, check against database, otherwise display login
screen
d) If database check of login info is valid, let them through, otherwise
display login screen

This method is very reusable... because there is no action in the form tag and
all login is within the include file, all you do is include it within any
access controled file and it works seemlessly.

-Dan

: if you are using apache web server you can try the .htaccess method. I am
: not too familar with it. I am trying to learn it myself, but from what i
: gather, you put a file called .htaccess in the dir where your web page is.
: the .htaccess file contains a path to the a file where all the user names
: and passwords are stored. whenever this dir is accessed, a window pops up
: asking for a user id and password.
:
: If anyone has more info on this, please pass it on. I am looking into
: using this as well. What i am looking to do is create a web based ftp
: application. Where users log into a web screen and can ftp files to the
: server into a certain directory own by them. I am storing the file paths
: and descriptions in a postgresql db and using php for the ftp process. Can
: I use .htaccess with this? Can I have someone log into the web page using
: .htaccess and passing their user id and password into a cookie or variable
: so i will know who they are and they don't have to re-type this when they
: ftp the file.
:
: Any help would be great.
: Thanks,
: Tim.
:
:
:
:
: Paul Joseph McGee <mcgee(at)student(dot)cs(dot)ucc(dot)ie>@postgresql.org on 03/13/2001
: 12:20:57 PM
:
: Sent by: pgsql-php-owner(at)postgresql(dot)org
:
:
: To: pgsql-php(at)postgresql(dot)org
: cc:
:
: Subject: Secure pages
:
:
: Hi everybody,
: i have a user login authentication sysytem on my machine here where users
: may view pages but to do other things the user must login. the login
: scripts seem to work ok and are based on a "Secure Authentication System"
: from www.phpbuilder.com. Basically the page where i want people to arrive
: at upon logging in is at present viewable by anyone who puts the proper
: url into their browser. how do i keep this and other pages secure from
: people who havent logged in?
: Thanks,
: Paul
:
: ---------------------------(end of broadcast)---------------------------
: TIP 2: you can get off all lists at once with the unregister command
: (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
:
:
:
:
:
: **********************************************************************
: This email and any files transmitted with it are confidential and
: intended solely for the use of the individual or entity to whom they
: are addressed. If you have received this email in error please notify
: the system manager.
:
: This footnote also confirms that this email message has been swept by
: MIMEsweeper for the presence of computer viruses.
:
: www.mimesweeper.com
: **********************************************************************
:
: ---------------------------(end of broadcast)---------------------------
: TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org

The easiest way in PHP that I have found is to create a file called
validate.php containing the following:

<?
if ($HTTP_COOKIE_VARS["MyCookie"] != 'Some Value') {
header("Location: http://my.company.com/login");
}
?>

and, after the user has logged in, set a cookie. Then, for each page that
should be for a logged-in user only, just include the validate.php file.

Michael Fork - CCNA - MCP - A+
Network Support - Toledo Internet Access - Toledo Ohio

On Tue, 13 Mar 2001 Timothy_Maguire(at)hartehanks(dot)com wrote:

>
> if you are using apache web server you can try the .htaccess method. I am
> not too familar with it. I am trying to learn it myself, but from what i
> gather, you put a file called .htaccess in the dir where your web page is.
> the .htaccess file contains a path to the a file where all the user names
> and passwords are stored. whenever this dir is accessed, a window pops up
> asking for a user id and password.
>
> If anyone has more info on this, please pass it on. I am looking into
> using this as well. What i am looking to do is create a web based ftp
> application. Where users log into a web screen and can ftp files to the
> server into a certain directory own by them. I am storing the file paths
> and descriptions in a postgresql db and using php for the ftp process. Can
> I use .htaccess with this? Can I have someone log into the web page using
> .htaccess and passing their user id and password into a cookie or variable
> so i will know who they are and they don't have to re-type this when they
> ftp the file.
>
> Any help would be great.
> Thanks,
> Tim.
>
>
>
>
> Paul Joseph McGee <mcgee(at)student(dot)cs(dot)ucc(dot)ie>@postgresql.org on 03/13/2001
> 12:20:57 PM
>
> Sent by: pgsql-php-owner(at)postgresql(dot)org
>
>
> To: pgsql-php(at)postgresql(dot)org
> cc:
>
> Subject: Secure pages
>
>
> Hi everybody,
> i have a user login authentication sysytem on my machine here where users
> may view pages but to do other things the user must login. the login
> scripts seem to work ok and are based on a "Secure Authentication System"
> from www.phpbuilder.com. Basically the page where i want people to arrive
> at upon logging in is at present viewable by anyone who puts the proper
> url into their browser. how do i keep this and other pages secure from
> people who havent logged in?
> Thanks,
> Paul
>

On Tue, 13 Mar 2001, Michael Fork wrote:

->The easiest way in PHP that I have found is to create a file called
->validate.php containing the following:
->
-><?
-> if ($HTTP_COOKIE_VARS["MyCookie"] != 'Some Value') {
-> header("Location: http://my.company.com/login");
-> }
->?>
->
->and, after the user has logged in, set a cookie. Then, for each page that
->should be for a logged-in user only, just include the validate.php file.

Boy that's not very secure...I could find your included file, see what 'Some
Value' is, and then just make my own cookie!

-- Dave

not if the include file ends with a .php -- since it is in <? ?>, anybody
acessing the file from a web browser would not be able to see it.

Michael Fork - CCNA - MCP - A+
Network Support - Toledo Internet Access - Toledo Ohio

On Tue, 13 Mar 2001, David Olbersen wrote:

> On Tue, 13 Mar 2001, Michael Fork wrote:
>
> ->The easiest way in PHP that I have found is to create a file called
> ->validate.php containing the following:
> ->
> -><?
> -> if ($HTTP_COOKIE_VARS["MyCookie"] != 'Some Value') {
> -> header("Location: http://my.company.com/login");
> -> }
> ->?>
> ->
> ->and, after the user has logged in, set a cookie. Then, for each page that
> ->should be for a logged-in user only, just include the validate.php file.
>
> Boy that's not very secure...I could find your included file, see what 'Some
> Value' is, and then just make my own cookie!
>
> -- Dave
>
>

On Tue, 13 Mar 2001, Michael Fork wrote:

->not if the include file ends with a .php -- since it is in <? ?>, anybody
->acessing the file from a web browser would not be able to see it.

I misunderstood, I thought you meant that you would put that code in an included
file. Which anybody could get at. However the code being hidden doesn't change
that I could look for a cookie from your domain, see it's value, and still
create another cookie.

What you're all looking for is a *session based* authentication system. PHP does
this, and you can do it yourself if you have a database set up.

-- Dave

On Tue, 13 Mar 2001, Dan Wilson wrote:

Is anyone else getting crap spewed at them from as far back as March on
this list?

On Fri, 16 Nov 2001, speedboy wrote:

> On Tue, 13 Mar 2001, Dan Wilson wrote:
>
> Is anyone else getting crap spewed at them from as far back as March on
> this list?

yep

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================

the offending user has been removed from the list ...

On Fri, 16 Nov 2001, Vince Vielhaber wrote:

> On Fri, 16 Nov 2001, speedboy wrote:
>
> > On Tue, 13 Mar 2001, Dan Wilson wrote:
> >
> > Is anyone else getting crap spewed at them from as far back as March on
> > this list?
>
> yep
>
> Vince.
> --
> ==========================================================================
> Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
> 56K Nationwide Dialup from $16.00/mo at Pop4 Networking
> Online Campground Directory http://www.camping-usa.com
> Online Giftshop Superstore http://www.cloudninegifts.com
> ==========================================================================
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>

On Fri, 16 Nov 2001, Marc G. Fournier wrote:

>
> the offending user has been removed from the list ...

I didn't look at the headers, you mean someone actually sent them
and it wasn't a logjam somewhere?

>
>
> On Fri, 16 Nov 2001, Vince Vielhaber wrote:
>
> > On Fri, 16 Nov 2001, speedboy wrote:
> >
> > > On Tue, 13 Mar 2001, Dan Wilson wrote:
> > >
> > > Is anyone else getting crap spewed at them from as far back as March on
> > > this list?
> >
> > yep
> >
> > Vince.
> > --
> > ==========================================================================
> > Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
> > 56K Nationwide Dialup from $16.00/mo at Pop4 Networking
> > Online Campground Directory http://www.camping-usa.com
> > Online Giftshop Superstore http://www.cloudninegifts.com
> > ==========================================================================
> >
> >
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 2: you can get off all lists at once with the unregister command
> > (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> >
>
>

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================

from what I could tell, yes ... might have been unintentioinal, but, if
that's the case, they can re-subscribe :)

On Fri, 16 Nov 2001, Vince Vielhaber wrote:

> On Fri, 16 Nov 2001, Marc G. Fournier wrote:
>
> >
> > the offending user has been removed from the list ...
>
> I didn't look at the headers, you mean someone actually sent them
> and it wasn't a logjam somewhere?
>
> >
> >
> > On Fri, 16 Nov 2001, Vince Vielhaber wrote:
> >
> > > On Fri, 16 Nov 2001, speedboy wrote:
> > >
> > > > On Tue, 13 Mar 2001, Dan Wilson wrote:
> > > >
> > > > Is anyone else getting crap spewed at them from as far back as March on
> > > > this list?
> > >
> > > yep
> > >
> > > Vince.
> > > --
> > > ==========================================================================
> > > Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
> > > 56K Nationwide Dialup from $16.00/mo at Pop4 Networking
> > > Online Campground Directory http://www.camping-usa.com
> > > Online Giftshop Superstore http://www.cloudninegifts.com
> > > ==========================================================================
> > >
> > >
> > >
> > >
> > > ---------------------------(end of broadcast)---------------------------
> > > TIP 2: you can get off all lists at once with the unregister command
> > > (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> > >
> >
> >
>
>
> Vince.
> --
> ==========================================================================
> Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
> 56K Nationwide Dialup from $16.00/mo at Pop4 Networking
> Online Campground Directory http://www.camping-usa.com
> Online Giftshop Superstore http://www.cloudninegifts.com
> ==========================================================================
>
>
>
>

This arrived promptly. :)

On Fri, 16 Nov 2001, Marc G. Fournier wrote:

>
> from what I could tell, yes ... might have been unintentioinal, but, if
> that's the case, they can re-subscribe :)
>
>
>
> On Fri, 16 Nov 2001, Vince Vielhaber wrote:
>
> > On Fri, 16 Nov 2001, Marc G. Fournier wrote:
> >
> > >
> > > the offending user has been removed from the list ...
> >
> > I didn't look at the headers, you mean someone actually sent them
> > and it wasn't a logjam somewhere?
> >
> > >
> > >
> > > On Fri, 16 Nov 2001, Vince Vielhaber wrote:
> > >
> > > > On Fri, 16 Nov 2001, speedboy wrote:
> > > >
> > > > > On Tue, 13 Mar 2001, Dan Wilson wrote:
> > > > >
> > > > > Is anyone else getting crap spewed at them from as far back as March on
> > > > > this list?
> > > >
> > > > yep
> > > >
> > > > Vince.
> > > > --
> > > > ==========================================================================
> > > > Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
> > > > 56K Nationwide Dialup from $16.00/mo at Pop4 Networking
> > > > Online Campground Directory http://www.camping-usa.com
> > > > Online Giftshop Superstore http://www.cloudninegifts.com
> > > > ==========================================================================
> > > >
> > > >
> > > >
> > > >
> > > > ---------------------------(end of broadcast)---------------------------
> > > > TIP 2: you can get off all lists at once with the unregister command
> > > > (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> > > >
> > >
> > >
> >
> >
> > Vince.
> > --
> > ==========================================================================
> > Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
> > 56K Nationwide Dialup from $16.00/mo at Pop4 Networking
> > Online Campground Directory http://www.camping-usa.com
> > Online Giftshop Superstore http://www.cloudninegifts.com
> > ==========================================================================
> >
> >
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================