Category Archives: authentication

HTTP basic Auth not working

so im having some issues with this in my htaccess file, I have been looking online to see if I could find a solution but seems all the info points to what I have. I have even attempted to create a new htaccess file in the directory that I want to have a sign in for and still not success. The alert pops up but if you hit cancel it allows you to access the information. Any feedback on what I might be missing or some helpful links

AuthName "Protected Area"
AuthType Basic
AuthUserFile /home/path/public_html/url.com/.htpasswd
Require valid-user
AuthGroupFile /dev/null





SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI /directory/* !noauth


<RequireAny>
Require env noauth
Require valid-user
</RequireAny>

Apache auth cache context – directory not working as expected

I have an issue with configuring the apache auth cache module - in particular the AuthCacheContext directive.

I need to use the URL directory as the context, to cache credentials on a directory by directory basis. I believe this is how the "directory" option to AuthCacheContext works - and is described in the Apache help:

*"The default is directory, which is also the most conservative setting. 
This is likely to be less than optimal, as it (for example) causes $app- 
base, $app-base/images, $app-base/scripts and $app-base/media each to have 
its own separate cache key. A better policy is to name the 
*AuthnCacheContext* for the password provider: for example a htpasswd file 
or database table."*

Unfortunately that is not the behaviour I am seeing!

If I have a site structure:

/base
/base/subdir1
/base/subdir2

Once I initially authenticate at /base - the auth socache module automatically grants access to /base/subdir1 as well!

I've done a quick review of the Apache module source (mod_authn_socache.c) - this appears to be corroborated where it splits the directory in construct_key at the first slash.

if (!strcmp(context, "directory")) {
    /* FIXME: are we at risk of this blowing up? */
    char *new_context;
    char *slash = strrchr(r->uri, '/');
    new_context = apr_palloc(r->pool, slash - r->uri +
                             strlen(r->server->server_hostname) + 1);
    strcpy(new_context, r->server->server_hostname);
    strncat(new_context, r->uri, slash - r->uri);
    context = new_context;
}

Any advice on how to resolve this issue? Can a custom-string parameter to the AuthnCacheContext directive with some sort of Apache directory variable be used instead?

For reference, i've already attempted:

AuthnCacheContext %{REQUEST_URI}

However that does not appear to work either.

Force http auth off on certain path

I have a two sites. One site is symlinked into a sub folder of the first e.g.

Site1
|-foo
|-bar
|-symlinked-site -> /var/www/site2/
|-etc...

So in the browser url I get something like www.site1.com/site2-alias/

Site 1 has an httaccess auth rule set up like so in the root folder;

# Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/path/to/auth-only/dir require_auth=true

# Auth stuff
AuthUserFile /var/www/site1.com/htpasswd
AuthName "Password Protected"
AuthType Basic

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

For some reason Site 2 is getting a prompt for the password, but I cannot figure out why it would do so, and I've tried a few variations of forcing Allow from all or replicating the full auth config from site 1 to site 2.

I've checked the environment variables in PHP and require_auth does not exist in on the second site. If I modify the rule to set require_auth on the valid url of site 2 then I can get the require_auth variable to show up, so I'm not sure why any part of the htaccess rule would prompt for this password.

Is there anyway I can explicitly turn off any kind of ht password check for the site 2 file path, I do not require it at all.

How to exclude a folder from Laravel route?

I am currently working on a laravel 5.6 project. Here I have uploaded and extracted zip file in the 'public/uploads/games' directory (extracted files contains html, css, js files). Now I want to give access to this folder only to the authenticated user. So, I have included a route in routes/web.php. Here is my route:

Route::get('uploads', function() {
    echo 'hello';
});

But, as because I have a folder named 'uploads', this routing isn't working. I need this route to check authentication. I'll implement the middleware later.

Any help will be appreciated.

Retrieve HTAuth Basic credentials from URL without checking auth

Im refactoring my login method from http basic auth to PHP session login method, and I want to make it backward compatible so that users bookmarked the URL that contains the cresentials (like: http://username:[email protected]/...) still can login with the HtAuth turned off from apache.

I have tried to access the url with credentials in the url and print out the $_SERVER var, but those credentials are not seen here.

I realized that the PHP_AUTH_USER and PHP_AUTH_PW are only available in PHP if I keep the .htaccess auth turn on, and user is authenticated (logged in with correct username and password).

So is there a way to retrieve that info without turn on the htauth in .htaccess file? Or is there a better solution in this case?

P/S: I was thinking of capturing the username and password in apache and manually set a custom $_SERVER var (not sure how to do this) ?!?

Thanks

How do I use the LAPP stack with a single initial login (with Postgres doing the authentication)?

I am using Ubuntu Linux, Apache, Postgres and PHP for the website application that I am building. I want to have a website (using mostly PHP and HTML) that requires authentication when the user goes to login.php from a web browser. The authentication should be with a Postgres database.

I have a web page request credentials. A second page loads after a successful authentication. How can I have subsequent pages accessible (e.g., with buttons and/or links) from this web page the user sees after a successful authentication?

I have tried writing the username and password to a text file on the server on the back end to provide further authentication behind the scenes. This way a user would log in once then he/she can keep clicking around to subsequent pages without being prompted. This has not worked at all. If there were many users, there would be many of these temporary files with their credentials. This does not seem like a solution worth investigating.

A separate solution would be with a global variable. I am concerned about security with the GET response code as a way of passing the credentials from page to page. I have not been able to get this to work in a practical and reasonably secure way.

I want the user to be able to run various SQL queries through a web browser. But maybe this detail is not important.

I use something like this (login.php):

<html>
<body>

<form action="cool.php" method="post">
UserName: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>

<input type="submit">
</form>

</body>
</html>

Here is some of the code from cool.php:

<?php
$usern = $_POST["username"]; 
$passw = $_POST["password"];

...

pg_connect (...)
pg_query(...)

...html code...

How can I have a web page request an initial login page and a full website load after that and be completely accessible for the remainder of the session with no further credential challenges? Right now cool.php is viewable upon successful authentication. I am having difficulty creating links on cool.php. cool.php has dynamic content. I want all subsequent pages to be visible after cool.php. The users have different levels of permissions to view SQL tables in the Postgres database. I'd like the same user context to last for the duration of the web session.

Chrome doesn’t prompt for client certificate

I've been trying to setup client certificate authentication for almost three days now but to no avail.

I've signed up for a free domain at heliohost and have installed a free ssl certificate issued by Let's encrypt.

My plan is to have self signed certificates and check them against the database later(for user authentication) therefore I set my SSLVerifyClient to optional_no_ca in the htaccess file. I installed several self signed certificates generated by openssl but no matter which browser I try(Chrome, Firefox or IE) I get no prompts to choose a certificate except when i tried to access it on my phone via Chrome, in this case it offers to install a certificate since I don't have any on the phone.

This is the content of my .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

SSLOptions +StdEnvVars
SSLRequireSSL
SSLVerifyDepth 1
SSLVerifyClient optional_no_ca

I would really appreciate any feedback pertaining the issue, this is my first time trying to implement this and I'm not sure weather the issue is with my setup or chrome.

also I'm using chrome 59

Kriss

Portability of $_SERVER variables: REMOTE_USER, AUTH_USER and PHP_AUTH_USER

What is the best way to get the HTTP-authenticated user-name to ensure full portability across different web servers (Apache, IIS, Nginx, etc.)?

My understanding is that $_SERVER['REMOTE_USER'] is the CGI standard, but is it safe to assume that all web servers support this?

There are at least two other variants: $_SERVER['PHP_AUTH_USER'] on Apache and $_SERVER['AUTH_USER'] on IIS. Why do these server-specific variants exist if $_SERVER['REMOTE_USER'] is the correct variable to use?


Related thread, which only covers IIS/Coldfusion, not */PHP: Difference between AUTH_USER and REMOTE_USER cgi variables