Geek Answers Handbook

How would you implement FORM-based authentication without a support database?

I have a PHP script that runs as a CGI program, and the HTTP Authenticate header gets in and spits out. Therefore, I would like to implement some FORM-based authentication. As an additional limitation, there is no database, so session data cannot be saved.

I am very open to have a wizard username and password. I just need to protect the application from an attacker who does not know these credentials.

So how would you implement this?

Cookies?

I could submit the form and, if it is verified, I can send back the cookie, which is the hash of the IP address included in the secret code. Then I can prevent the rendering of pages if it does not decrypt correctly. But I have no idea how to implement this in PHP.

+6
authentication php cookies cgi
source share
4 answers

Several ways to do this.

  • htaccess - have a handler for your web server that protects the pages in question (not exactly based on the cgi form).
  • Use cookies and some kind of hash algorithm (md5 is good enough) to store passwords in a flat file, where each line in the file is the username: passwordhash. Make sure to salt your hashes for extra security against rainbow tables. (This method is a bit naive ... be very careful with security if you go along this route)
  • use something like sqlite for authentication only. Sqlite is compact enough and simple enough that it can still satisfy your needs, even if you do not need a large db server.

Theoretically, you can also store session data in a flat file, even if you do not have a database.

+5
source share

If you are using Authenticate, you may already have the htpasswd file. If you want to continue using this file, but switch to using FORM-based authentication and not through the Authenticate header, you can use a PHP script to use the same htpasswd file and use sessions to maintain the authentication status.

A quick google search on php htpasswd shows this page with a PHP function for checking htpasswd credentials. You can integrate it (provided that you have sessions configured for autorun) with the following code:

 // At the top of your 'private' page(s): if($_SESSION['authenticated'] !== TRUE) { header('Location: /login.php'); die(); } // the target of the POST form from login.php if(http_authenticate($_POST['username'], $_POST['password'])) $_SESSION['authenticated'] = TRUE;
+1
source share

Do you really need a form? No matter what you do, you are limited by username and password. If they know this, they get your magic cookie, which allows them. You want them to not see the page if they don’t know the secret, and the basic resolution does this, it is easy to set up and does not require a lot of work on your part.

Do you really need to see the authorization header if the web server cares about you for access control?

In addition, if you provide the application with a well-known list of people (not the public), you can provide access to the web server for other factors, such as the incoming IP address, client certificates, and many other things that are a matter of configuration rather than programming . If you explain your security limitations, we can offer a better solution.

Good luck :)

+1
source share

... About salt, add a username to your hash salt so that someone who knows your salt does not have access to your password file to write a rainbow table and your user's crack number.

-one
source share

More articles:


All Articles