Re: Prefered Method for User authetification on VHosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michelle Konzack schreef:
> Hello,
> 
> I have at my hosting provider only 1 GByte of Diskspace and can  install
> VHosts as much as I want.  The problem is, that I  have  "no access"  to
> the OS for OS-Level autentification.
> 
> Currently I have
> 
>     ${CUSTOMERPATH}/htdocs/index.php
> 
> which handel all VHosts and get ist config from directories like
> 
>     ${CUSTOMERPATH}/CONFIG_<vhost>.tamay-dogan.net/...
> 
> in which I currently use files like
> 
>     <user>:<shadow_passwd>
> 
> and then I use:
> 
> ----[ STDIN ]-----------------------------------------------------------
> function login($user, $pass, $redirect) {
> 
>   if ($user != '' and $pass != '') {
> 
>     $SHADOW=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2");
>     if (empty($SHADOW)) {
>       header("Content-Type: text/html");
>       die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\" noshade=\"noshade\">The username \"$user\" does not exist.");
>     }
> 
>     $SALT=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2 |cut -d$ -f1-3");
>     $ENCRYPTED=crypt($pass, $SALT);

seems like a lot of pain to go through, what with all that shell'ing out to grep data.
I'd personally go for a simple DB table and use/store sha1() hashes.

>     if ($SHADOW != $ENCRYPTED) {
>       header("Content-Type: text/html");

text/html is the default content-type why bother with this line?

>       die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\" noshade=\"noshade\">Wrong password for user \"$user\".");

I'm not a fan of die()ing in this fashion. I would argue the function should either
return true or false and let the caller decide what to do (e.g. show a login form again
or something)

I'm not a fan of meta-refreshes either.

>     }
>     $TIME_NOW=date("U");
>     $SESSID=exec("echo \"${user}${TIME_NOW}\" |md5sum |sed 's| .*||'");
>     setcookie('TDSESSION', "$SESSID");
>     setcookie('USER', $user);
>     exec("echo '" . date("U") . " " . $user . "' >" . DIR_SESSIONS . "/" . $SESSID);

I smell a race condition or something ... also why go to all this trouble when you
could just use session_start() (and stick $TIME_NOW, $user, etc in $_SESSION) ?

>   }
>   if (empty($redirect)) {
>     $redirect="/";
>   }
>   header("Content-Type: text/html");
>   die("<meta http-equiv=\"refresh\" content=\"0;$redirect\">");
> }
> ------------------------------------------------------------------------
> 
> which is working properly...
> 
> I like to know, whether this  is  good  enough  or  is  there  a  better
> solution?
>

there is always a better way ;-) ... the only real problem I envisage might be
related to file permissions on files in the DIR_SESSIONS dir ... given that this
stuff is in use, working, probably not protecting very sensitive data and the fact that
you're probably not going to get paid to change it ... I'd leave it be and go have a
beer or something :-)

> Thanks, Greetings and nice Day/Evening
>     Michelle Konzack
>     Systemadministrator
>     24V Electronic Engineer
>     Tamay Dogan Network
>     Debian GNU/Linux Consultant
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux