[thelist] User auth on php running as cgi on windows?

Timothy Joko-Veltman tim at indigopixel.com
Wed Nov 10 07:18:43 CST 2004


On Tue, 2004-11-09 at 21:54 -0800, chris wrote:
> Hi,
> I'm building a small site in php that needs a login/password on 1 dir. Php
> is running as a cgi binary on windoze. My only experience is working with
> php/mysql on linux. So, 
> 
> 1. is it true that http-authentication is unavailable to php running as cgi
> on windows?
> 
Not just Windows ... PHP in a CGI environment on any platfrom does not
have access to HTTP Authentication headers.

> 2. I have a vague recollection of a (very insecure) hack using a url token
> or some such thing but can't find anything in google 
> 
This is extremely insecure.  What you would do is something like

http://mydomain.com/mypage.php?tk={MD5_HASH}

Where {MD5_HASH} is a hash of some authenticating string, say,
username:password.  Of course, if someone has the hash, they have
access, so they may as well have the password; they can't reproduce it,
but they've got access, so who cares?

> 3. how do I do authentication without a database and without http
> authentication? 
> 
If you have the mcrypt extension
(http://www.php.net/manual/en/ref.mcrypt.php) installed, you could use
serialization in a flat file.  For course, you'd have to be very careful
to keep the key secret.  Another option would be to use a PHP file with
something like the following at the top:

<?php
if (!defined(ACCESS))
	exit();

//... stuff
?>

This will keep the file from being remotely loaded, or even loaded at
all if you haven't defined ACCESS in your "mother" script.  This even
works on the top of an otherwise flat file, provided the file is always
parsed as PHP.

On formatting, INI-type wouldn't be bad, as PHP has a built-in function
for reading them (parse_ini_file():
http://www.php.net/manual/en/function.parse-ini-file.php )

Writing them is slightly harder, but it's a pretty simple file format,
so shouldn't be too much work.

Regards,

Timothy

-- 
"The resonable man adapts himself to the world; the unresonable one
persists in trying to adapt the world to himself. Therefore all progress
depends on the unreasonable man."    --George Bernard Shaw



More information about the thelist mailing list