Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 21
Members Online: 0

Registered Members: 82843
Newest Member: hx47
Latest Articles

HTTP Authentication with PHP.

Arrow Image How to simulate a htaccess login with PHP.



Note: The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

Alright lets first start of by having a look at the header that needs to be sent:
Some of you may have noticed when trying to break into a .htaccess secured folder that it gives you something like: 401 Unauthorized.
Well that\'s atually what makes your browser to create this login box.
So this idea is basiclly based on tricking the browser with that sort of header.

To send the right type of header thru PHP you use this:

header(\'WWW-Authenticate: Basic realm=\"Your Realm\"\');
header(\'HTTP/1.0 401 Unauthorized\');

The realm is your name of choice, can be anything.

PHP stores the values entered in the boc in two variables:
$PHP_AUTH_USER ($_SERVER[\'PHP_AUTH_USER\'])
and $PHP_AUTH_PWD ($_SERVER[\'PHP_AUTH_PWD\']).

So lets have a look at a basic script that checks the username and password in htaccess style.

if (!isset($_SERVER[\'PHP_AUTH_USER\']) || !isset($_SERVER[\'PHP_AUTH_PWD\'])) {
// If user isn\'t logged in then prompt for username and password.
// Start_Header output
header(\'WWW-Authenticate: Basic realm=\"My Realm\"\');
header(\'HTTP/1.0 401 Unauthorized\');
// End_Header output
echo \'You need to be logged in to view this site\';
// Text to show if user pressed cancel instead of login
exit;
} else {
if($_SERVER[\'PHP_AUTH_USER\'] == \"username\" && $_SERVER[\'PHP_AUTH_PWD\'] == \"password\") {
// Code here if user successfully logged in.
echo \'You are authorized\';
} else {
// Username or password was incorrect, prompt to login again.
header(\'WWW-Authenticate: Basic realm=\"My Realm\"\');
header(\'HTTP/1.0 401 Unauthorized\');
echo \'You need to be logged in to view this site\';
exit;
}
}

So i guess you read the comments in the code huh? If not, then do it!
Anyway, you replace \"username\" and \"password\" with your credentials of choice.

As you may understand this way is far more dynamic then basic htaccess and can be used with database aswell.

Althou, some people that\'s using this has problems with the logout feature of the site (if needed).
By googling i found out that making a new prompt for username and password removes the cache for the currently logged in user.
So by sending the header again you can logout. Geniou huh?
Althou i had some problems with that and \"Headers allready sent from line blablabla\" in PHP so i found an easier way to do this, althou this may not work on all browsers (Safari for example).

Some of you people may know that you can automaticly login in a htaccess protected area by making this type of URL: http://username:password@site.com/

Well, by sending false credentials our cache gets deleted.
So a quick way to logout as i use is: http://logout:@site.com

Hope someone finds this article usefull so my 20minutes of typing wasn\'t good for nothing xD

~root_op

Comments

root_opon February 08 2008 - 06:39:24
Well i was kinda tired when i wrote this, so bare with me xD Thx for your response mosh Smile
midoon February 08 2008 - 12:46:04
Actually, I knew this, but haven't tried; not experienced with auth's. But found it somewhat informative. But I only used .htaccess to do this, without PHP involved. But anyways, nice article.
*Very Good*
mikispagon February 08 2008 - 15:58:10
Very good!
korgon February 09 2008 - 02:24:48
Nice content I'm sure people will learn something from this. Nice job man.
Arto_8000on February 18 2008 - 20:01:31
Nice content ? Your just presenting an Hello World. And your saying that htaccess isn't good. Your making a really big mistake. Read up more about htaccess and you'll see that it's by far better than using this kind of script. The only use of that kind of script is when you don't have htaccess which is really rare.
root_opon March 12 2008 - 08:24:19
Well, lets say you want that kind of protection on your site, wich has like 20000 users, you want a htpasswd file with 20000 entries? Better of with database access instead.
SwiftNomadon April 20 2008 - 20:40:24
http://www.hellboundhackers.org/articles/258-htaccess-Password-Protection.html well, it is something like mine.. Grin
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.