Michelle Konzack schreef: > Hello, > > I have at my hosting provider only 1 GByte of Diskspace and can install > VHosts as much as I want. The problem is, that I have "no access" to > the OS for OS-Level autentification. > > Currently I have > > ${CUSTOMERPATH}/htdocs/index.php > > which handel all VHosts and get ist config from directories like > > ${CUSTOMERPATH}/CONFIG_<vhost>.tamay-dogan.net/... > > in which I currently use files like > > <user>:<shadow_passwd> > > and then I use: > > ----[ STDIN ]----------------------------------------------------------- > function login($user, $pass, $redirect) { > > if ($user != '' and $pass != '') { > > $SHADOW=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2"); > if (empty($SHADOW)) { > header("Content-Type: text/html"); > die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\" noshade=\"noshade\">The username \"$user\" does not exist."); > } > > $SALT=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2 |cut -d$ -f1-3"); > $ENCRYPTED=crypt($pass, $SALT); seems like a lot of pain to go through, what with all that shell'ing out to grep data. I'd personally go for a simple DB table and use/store sha1() hashes. > if ($SHADOW != $ENCRYPTED) { > header("Content-Type: text/html"); text/html is the default content-type why bother with this line? > die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\" noshade=\"noshade\">Wrong password for user \"$user\"."); I'm not a fan of die()ing in this fashion. I would argue the function should either return true or false and let the caller decide what to do (e.g. show a login form again or something) I'm not a fan of meta-refreshes either. > } > $TIME_NOW=date("U"); > $SESSID=exec("echo \"${user}${TIME_NOW}\" |md5sum |sed 's| .*||'"); > setcookie('TDSESSION', "$SESSID"); > setcookie('USER', $user); > exec("echo '" . date("U") . " " . $user . "' >" . DIR_SESSIONS . "/" . $SESSID); I smell a race condition or something ... also why go to all this trouble when you could just use session_start() (and stick $TIME_NOW, $user, etc in $_SESSION) ? > } > if (empty($redirect)) { > $redirect="/"; > } > header("Content-Type: text/html"); > die("<meta http-equiv=\"refresh\" content=\"0;$redirect\">"); > } > ------------------------------------------------------------------------ > > which is working properly... > > I like to know, whether this is good enough or is there a better > solution? > there is always a better way ;-) ... the only real problem I envisage might be related to file permissions on files in the DIR_SESSIONS dir ... given that this stuff is in use, working, probably not protecting very sensitive data and the fact that you're probably not going to get paid to change it ... I'd leave it be and go have a beer or something :-) > Thanks, Greetings and nice Day/Evening > Michelle Konzack > Systemadministrator > 24V Electronic Engineer > Tamay Dogan Network > Debian GNU/Linux Consultant > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php