Re: [PHP] Prefered Method for User authetification on VHosts

Michelle Konzack schreef:
Hello,

I have at my hosting provider only 1 GByte of Diskspace and can install
VHosts as much as I want. The problem is, that I have "no access" to
the OS for OS-Level autentification.

Currently I have

${CUSTOMERPATH}/htdocs/index.php

which handel all VHosts and get ist config from directories like

${CUSTOMERPATH}/CONFIG_<vhost>.tamay-dogan.net/...

in which I currently use files like

<user>:<shadow_passwd>

and then I use:

----[ STDIN ]-----------------------------------------------------------
function login($user, $pass, $redirect) {

if ($user != '' and $pass != '') {

$SHADOW=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2");
if (empty($SHADOW)) {
header("Content-Type: text/html");
die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\" noshade=\"noshade\">The username \"$user\" does not exist.");
}

$SALT=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2 |cut -d$ -f1-3");
$ENCRYPTED=crypt($pass, $SALT);

seems like a lot of pain to go through, what with all that shell'ing out to grep data.
I'd personally go for a simple DB table and use/store sha1() hashes.

if ($SHADOW != $ENCRYPTED) {
header("Content-Type: text/html");

text/html is the default content-type why bother with this line?

die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\" noshade=\"noshade\">Wrong password for user \"$user\".");

I'm not a fan of die()ing in this fashion. I would argue the function should either
return true or false and let the caller decide what to do (e.g. show a login form again
or something)

I'm not a fan of meta-refreshes either.

}
$TIME_NOW=date("U");
$SESSID=exec("echo \"${user}${TIME_NOW}\" |md5sum |sed 's| .*||'");
setcookie('TDSESSION', "$SESSID");
setcookie('USER', $user);
exec("echo '" . date("U") . " " . $user . "' >" . DIR_SESSIONS . "/" . $SESSID);

I smell a race condition or something ... also why go to all this trouble when you
could just use session_start() (and stick $TIME_NOW, $user, etc in $_SESSION) ?

}
if (empty($redirect)) {
$redirect="/";
}
header("Content-Type: text/html");
die("<meta http-equiv=\"refresh\" content=\"0;$redirect\">");
}
------------------------------------------------------------------------

which is working properly...

I like to know, whether this is good enough or is there a better
solution?


there is always a better way ;-) ... the only real problem I envisage might be
related to file permissions on files in the DIR_SESSIONS dir ... given that this
stuff is in use, working, probably not protecting very sensitive data and the fact that
you're probably not going to get paid to change it ... I'd leave it be and go have a
beer or something :-)

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant



.