Htaccess/php/sess/recording

software development

#1

I need to have restricted access to a site but I also want to record who’s logging in.
I want to write who did log into the website into mysql but I don’t want to have to access mysql to get access to the site (should that fail) and if the log fails for any reason I don’t care that much.
So my thought was just to use htaccess/hpasswd and manage that with deadlock or whatever, that’s easy but how can I log who did log in?
Is there a way to get that into the logs and I can scan that with a cron?
Or do I need to write a php login using the htpassword file and only write a record to mysql when a session is created. I don’t want to modify every stinking application/directory so I guess I would have to do a AddHandler for .html php etc etc and the php would be “eek” and have to do a force application type on eek to php so it doesn’t loop forever?
Am I dope is there just an easy way to do this without having to write the code and do it this convoluted way?
So simple (no credit cards here, no-one on life support) access control with logging but not having to hack into phpbb, gallery, and every other bleeking thing to do this.


#2

Ok so that post is a bust how about this…

How do you do php htaccess/passwd access when (as here) php is cgi.
No I don’t want to change that and I don’t want to log in for every access because it doesn’t remember me.


#3

http://www.besthostratings.com/articles/http-auth-php-cgi.html demonstrates a workaround methodology. Yeah Google! :wink:

–rlparker


#4

Yeah google, but garbage in garbage out, that doesn’t work.


#5

This works. Tested for DreamHost Apache 2 running php-cgi.

Process Request

client -> GET / server -> set REMOTE_USER=user set REDIRECT_REMOTE_USER=REMOTE_USER if 401 errordocument show errordocument 401 if invalid user/pass errordocument 401 requests user pass with "Authorization Required" 401 sends Header- 'WWW-Authenticate: Basic ream="AskApachePass"' client -> GET / send username and password with Header- 'Authorization: Basic (base64_encoded username:password)' server -> (repeats until authorized)
2 .htaccess tricks required
1. a custom 401 ErrorDocument specifying a php file (logger).
2. pass along the clients username using mod_rewrite.

.htaccess

[code]ErrorDocument 401 /log-htpasswd.php

BEGIN AskApache Password Protect

AuthName "AskApachePass"
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user

END AskApache Password Protect

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]
[/code]
log-htpasswd.php

[code]<?php
define(‘LOGINS_LOG’,’/home/user/log-htpasswd.log’);

if(isset($_ENV[‘REDIRECT_REMOTE_USER’]) && !empty($_ENV[‘REDIRECT_REMOTE_USER’])){
$fp = fopen(LOGINS_LOG, 'a ');
fwrite($fp, $_ENV[‘REDIRECT_REMOTE_USER’]);
fclose($fp);
}

ob_start();
header(“HTTP/1.1 401 Authorization Required”,1);
header(“Status: 401 Authorization Required”,1);
echo ’

401 Authorization Required

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn\'t understand how to supply the credentials required.

'; exit; exit(); ?> [/code] [b]example log-htpasswd.log[/b] just a list of usernames attempted [code]username1 tom rcowen askapache dreamhost dreamadmin [/code]

All you need to do now is add mysql commands to log-htpasswd.php… And you should tighten the security for log-htpasswd.php to only allow from from server for redirects to secure against crackers and hackers. more .htaccess tricks

_____
[color=#00CC00] _ _| _ _ _ _|_ _ (_|_\|<(_||_)(_|(_| |(/_ | [/color]
:~


#6

So I’m not sure what’s different in my environment but this does not work…

first I had to change /.htpasswd to the full path or I couldn’t even log in.

I checked my log file path etc, even made it all 777’s, and then just tried writing “test” in it, nothing…
Made a copy of the log-htpasswd.php and pulled the if and other stuff out, it did write to the “test” to the file only no user.

I don’t know, this is what is driving a bit nuts. I agree this should work.


#7

No worries Sorcerer~

I forget that my environment is different than the default, I have a lot of optimized stuff going on. My guess is that its a php issue.

First, the .htpasswd thing was my fault, indeed you will need to change to be the full path like /home/user/.htpasswd

Next configure your domain to use the php5.cgi

  1. cd to your domain root

cd /home/user/domain.com2. make a cgi-bin folder

mkdir -p /home/user/domain.com/cgi-bin; chmod 755 /home/user/domain.com/cgi-bin3. copy the php5.cgi

cp -p /dh/cgi-system/php5.cgi /home/user/domain.com/cgi-bin4. add this to your /home/user/domain.com/.htaccess

AddHandler php-cgi .php Action php-cgi /cgi-bin/php5.cgi Now that you have php5, it should work.

Ultimate debug:

  1. create a file called login.php in /home/user/domain.com/cgi-bin/login.php and make a copy at /home/user/domain.com/logins.php
  2. the contents of login.php, change the IP to yours

[code]<?php
define(‘LOGINS_LOG’,’/home/user/logins.log’);

$fp = fopen(LOGINS_LOG, ‘a+’);
fwrite($fp, $_ENV[‘REDIRECT_REMOTE_USER’]."\n");
fclose($fp);

ob_start();
header(“HTTP/1.1 401 Authorization Required”,1);
header(“Status: 401 Authorization Required”,1);
echo ’

401 Authorization Required

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn\'t understand how to supply the credentials required.

'; if($_SERVER['REMOTE_ADDR'] !== '208.113.183.103') die(); echo '
';
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
print_r($_ENV);
print_r($_SERVER);
exit;
exit();
?>
[/code]3. Add this to your /home/user/domain.com/.htaccess
[code]ErrorDocument 401 /logins.php

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$ [OR]
RewriteCond %{REQUEST_URI} ^/.login.php$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

AuthName "Protection" AuthUserFile /home/user/.htpasswd AuthGroupFile /dev/null AuthType Basic Require valid-user [/code]Now goto your web browser and request http://site.com/cgi-bin/login.php and try entering the wrong password, hitting cancel, entering the correct password, etc.

Besides also showing you the decrypted password, it will show you everything you need to know. Let me know how it goes.

_____
[color=#00CC00] _ _| _ _ _ _|_ _ (_|_\|<(_||_)(_|(_| |(/_ | [/color]
:~


#8

I’m missing something…

the <files means I have to specifically access the file
I want it to run “auto” based on the .htaccess file

When it runs it will authorize but that’s like a goto not a gosub after this is done it doesn’t finish the code to let me know who just logged in.

For then on it never goes back to access this code.

Oh and when I do run it twice the password is the user/password but the REDIRECT_REMOTE_USER is still blank.


#9

You only need to use the files directive if you are debugging.

_____
[color=#00CC00] _ _| _ _ _ _|_ _ (_|_\|<(_||_)(_|(_| |(/_ | [/color]
:~