wwwauth=true on PHP as CGI on Apache

harteg · **Posted:** Fri Jun 02, 2006 10:45 am

A user has given this how to get wwwauth to work on PHP as CGI on Apache - it is CMSimple version 2.4 - and "Copy of cms.php" is original cms.php:

Code:

Compare: (<)C:\Documents and Settings\Administrator\Skrivebord\Copy of cms.php (41459 bytes)
   with: (>)C:\Documents and Settings\Administrator\Skrivebord\cms.php (42379 bytes)

81,111c81,128
< $adm=(gc('status')=='adm'&&logincheck());
< 
< if($login&&!$adm)
< {
<    if($cf['security']['wwwaut']!='true')
<    {
<       if($passwd==$cf['security']['password'])
<       {
<          setcookie('status','adm');
<          setcookie('passwd',$passwd);
<          $adm=true;
<          $edit=true;
<          writelog(date("Y-m-d H:i:s")." from ".sv('REMOTE_ADDR')." logged_in\n");
<       }
<       else getlost();
<    }
<    else
<    {
<       if(sv('PHP_AUTH_USER')==''||sv('PHP_AUTH_PW')==''||gc('status')=='')
<       {
<          // In a future version of CMSimple this new Server API check will replace the setting of a variable
<          if($cf['security']['wwwaut']=='true'&&(php_sapi_name()=='cgi'||php_sapi_name()=='cgi-fcgi')) 
<          {
<             $e.='<li>security_wwwaut should only be set true, when Server API is apache - your is '.php_sapi_name().' - please see <a href="http://www.cmsimple.dk/?Requirements">http://www.cmsimple.dk/?Requirements</a>';
<          }
<          else
<          {
<             setcookie('status','login');
<             header('WWW-Authenticate: Basic realm="'.$tx['login']['warning'].'"');
<             getlost();
<          }
---
> //$headers = getallheaders();
> //$auth=$headers['authorization'];
> //if ($auth=='') { $auth=$headers['Authorization']; } 
> 
> if(preg_match('/Basic+(.*)$/i', $_SERVER['REMOTE_USER'], $matches)) {
>    list($name, $password) = explode(':', base64_decode($matches[1]));
>    $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
>    $_SERVER['PHP_AUTH_PW']    = strip_tags($password);
>   }
> 
> //if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER']) && ($cf['security']['wwwaut']=='true')
> //   && preg_match('/Basics+(.*)$/i', $_SERVER['REMOTE_USER'], $matches)) {
> //   list($name, $password) = explode(':', base64_decode($matches[1]));
> //   $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
> //   $_SERVER['PHP_AUTH_PW']    = strip_tags($password);
> // }
> //print "-->" . $_SERVER['PHP_AUTH_USER'] . "<--\n";
> //print "-->" . $_SERVER['PHP_AUTH_PW'] . "<--\n";
> 
> 
> 
> $adm=(gc('status')=='adm'&&logincheck());
> if($login&&!$adm)
> {
>   if($cf['security']['wwwaut']!='true')
>   {
>     if($passwd==$cf['security']['password'])
>     {
>       setcookie('status','adm');
>       setcookie('passwd',$passwd);
>       $adm=true;
>       $edit=true;
>       writelog(date("Y-m-d H:i:s")." from ".sv('REMOTE_ADDR')." logged_in\n");
>     }
>     else getlost();
>   }
>   else
>   {
>     if(sv('PHP_AUTH_USER')==''||sv('PHP_AUTH_PW')==''||gc('status')=='')
>     {
>       // In a future version of CMSimple this new Server API check will replace the setting of a variable
>       if($cf['security']['wwwaut']=='true'&&(php_sapi_name()=='cgis'||php_sapi_name()=='cgi-fcgi'))
>       {
>         //$e.='<li>security_wwwaut should only be set true, when Server API is apache - your is '.php_sapi_name().' - please see <a href="http://www.cmsimple.dk/?Requirements">http://www.cmsimple.dk/?Requirements</a>';
>         setcookie('status','login');
>         //phpinfo();
>         header('WWW-Authenticate: Basic realm="'.$tx['login']['warning'].'"');
>         getlost();
115,155c132,168
<          if(logincheck())
<          {
<             setcookie('status','adm');
<             $adm=true;
<             $edit=true;
<             writelog(date($tx['log']['dateformat']).' '.sv('REMOTE_ADDR').' '.$tx['log']['loggedin']."\n");
<          }
<          else
<          {
<             getlost();
<          }
<       }
<    }
< }
< else if($logout&&$adm)
< {
<    $fn=date("YmdHis").'.htm';
<    if(@copy($pth['file']['content'],$pth['folder']['content'].$fn))
<    {
<      $o.='<p>'.ucfirst($tx['filetype']['backup']).' '.$fn.' '.$tx['result']['created'].'</p>';
<      $fl=array();
<      $fd=@opendir($pth['folder']['content']);
<      while(($p=@readdir($fd))==true)
<      {
<         if(preg_match("/\d{3}\.htm/",$p))$fl[]=$p;
<      }
<      if($fd==true)closedir($fd);
<      @sort($fl,SORT_STRING);
<      $v=count($fl)-$cf['backup']['numberoffiles'];
<      for($i=0;$i<$v;$i++)
<      {
<         if(@unlink($pth['folder']['content'].'/'.$fl[$i]))$o.='<p>'.ucfirst($tx['filetype']['backup']).' '.$fl[$i].' '.$tx['result']['deleted'].'</p>';
<         else e('cntdelete','backup',$fl[$i]);
<      }
<    }
<    else e('cntsave','backup',$fn);
<    $adm=false;
<    setcookie('status','');
<    setcookie('passwd','');
<    $o.='<p><font color="red">'.$tx['login']['loggedout'].'</font></p>';
< }
---
>         setcookie('status','login');
>         header('WWW-Authenticate: Basic realm="'.$tx['login']['warning'].'"');
>         getlost();
>       }
>     }
>     else
>     {
>       if(logincheck())
>       {
>    setcookie('status','adm');
>    $adm=true;
>    $edit=true;
>    writelog(date($tx['log']['dateformat']).' '.sv('REMOTE_ADDR').' '.$tx['log']['loggedin']."\n");
>       }
>       else
>       {
>    getlost();
>       }
>     }
>   }
> }else 
> if($logout&&$adm){$fn=date("YmdHis").'.htm';
> if(@copy($pth['file']['content'],$pth['folder']['content'].$fn)){$o.='<p>'.ucfirst($tx['filetype']['backup']).' '.$fn.' '.$tx['result']['created'].'</p>';
> $fl=array();
> $fd=@opendir($pth['folder']['content']);
> while(($p=@readdir($fd))==true){if(preg_match("/\d{3}\.htm/",$p))$fl[]=$p;}
> if($fd==true)closedir($fd);
> @sort($fl,SORT_STRING);
> $v=count($fl)-$cf['backup']['numberoffiles'];
> for($i=0;$i<$v;$i++){
>    if(@unlink($pth['folder']['content'].'/'.$fl[$i]))$o.='<p>'.ucfirst($tx['filetype']['backup']).' '.$fl[$i].' '.$tx['result']['deleted'].'</p>';else e('cntdelete','backup',$fl[$i]);
>    }}else e('cntsave','backup',$fn);
>    $adm=false;
>    setcookie('status','');
>    setcookie('passwd','');
>    $o.='<p><font color="red">'.$tx['login']['loggedout'].'</font></p>';
>  }
261,262c274,277
< function sv($s){global $HTTP_SERVER_VARS; // if phpversion() above 4.1 you might want to use $_SERVER
< if(isset($HTTP_SERVER_VARS[$s]))return $HTTP_SERVER_VARS[$s];else return'';}
---
> //function sv($s){global $HTTP_SERVER_VARS; // if phpversion() above 4.1 you might want to use $_SERVER
> //if(isset($HTTP_SERVER_VARS[$s]))return $HTTP_SERVER_VARS[$s];else return'';}
> function sv($s){global $_SERVER; // if phpversion() above 4.1 you might want to use $_SERVER
> if(isset($_SERVER[$s]))return $_SERVER[$s];else return'';}
269c284,290
< function logincheck(){global $cf;if($cf['security']['wwwaut']=='true')return (sv('PHP_AUTH_USER')==$cf['security']['username']&&sv('PHP_AUTH_PW')==$cf['security']['password']);else return (gc('passwd')==$cf['security']['password']);}
---
> function logincheck(){
> global $cf;
> if($cf['security']['wwwaut']=='true')
>    return (sv('PHP_AUTH_USER')==$cf['security']['username']&&sv('PHP_AUTH_PW')==$cf['security']['password']);
> 
> else return (gc('passwd')==$cf['security']['password']);
> }

pim · **Joined:** Tue Jan 10, 2006 5:14 pm **Posts:** 24

Hallo can you please help me in that context, what do I have to change in my cms.php to get wwwauth to work on PHP as CGI on Apache.

Have problems to understand your post.
Thanks in advance

Pim

djot · **Posted:** Thu Aug 10, 2006 8:06 pm

-
You have to edit cms.php .

See the file comparison above to see which parts of the code are old (original CMSimple code) and which ones were added. The BRACKETS at the beginning of each line show if the line is new or old.

djot
-

thedude · **Joined:** Wed Jun 09, 2004 12:24 am **Posts:** 52

Hi,
I'm also having some trouble understanding that... could it be possible to copy-paste the whole new content of the cms.php file of 2.4?
Thanks, this is a really useful thing to have it work on cgi also.

Jens · **Joined:** Sun Oct 17, 2004 9:47 pm **Posts:** 2505

If you paste the whole thing you will get an outdated Version 2.4 of course...

djot · **Posted:** Wed Aug 23, 2006 10:19 pm

-
outdated? or updated?

djot

CMSimple Addonsbydjot: http://www.internet-setup.de/cmsimple/
-

harteg · **Posted:** Fri Aug 25, 2006 5:49 am

Code have to be updated in cms.php and login.php - as far as I can see it is only minor changes, but I haven't had the time to look into it.

heggie · **Joined:** Fri Aug 25, 2006 1:42 pm **Posts:** 8

Hi, it would be really great if you could get that included in the current version.
It seems that more ande more providers are running PHP as CGI for security reasons. On most of my sites I needed to switch off wwwaut because of that.
And I'd like to get it back on :-)

harteg · **Posted:** Sun Aug 27, 2006 10:39 am

Added it to http://www.cmsimple.dk/?Downloads:Future_development

JAT · **Posted:** Thu Aug 31, 2006 1:09 pm

I made a version compatible with cmsimple v2.6

Briefly, this is what I've done (with help from information found on various recources on the internet...)
Use .htaccess file with some rewrite code in it
changed some code in the login.php

tested with wwwauth=true / false on systems running Server API as Apache and CGI/FastCGI

test environments
1) XAMP on Windows XP
- PHP 5.0.5
- Apache 2.0.54
- Server API : CGi/FastCGI

2) LAMP on Ubuntu 6.06 LTS
- PHP 4.4.2
- Apache 1.3.34
- Server API : Apache

The mods I made are working fine on both of the test systems
I'm looking for beta testers both for Server API Apache and CGI to check if everything works fine...

Please send me a PM including your e-mail address so I can forward my mods (ie. login.php) and the installation instructions

JAT

Meril · **Joined:** Mon Jul 25, 2005 1:17 pm **Posts:** 216

heggie wrote:

Hi, it would be really great if you could get that included in the current version.
It seems that more ande more providers are running PHP as CGI for security reasons. On most of my sites I needed to switch off wwwaut because of that.
And I'd like to get it back on :-)

Hi!

Would be fine - cause it looks like the same in Austria - on the bigger Providers. Its the same on my WEB-Site (under development).

greetings
Meril

thedude · **Joined:** Wed Jun 09, 2004 12:24 am **Posts:** 52

Hi,
I'm trying and trying, but cannot get it to work on 2.4. I changed all the old codes (lines starting with "< ") with the new ones ("> "), but nothing. There are no errors or anything, but if wwwaut is true then it looks like the password is wrong (3 times, then "Authorization Required"). I double checked the cms.php file and passwords. Did I do someting wrong in changing the code? Or is there something else to configure? Please help...
Cheers

harteg · **Posted:** Tue Sep 05, 2006 7:26 am

As I wrote, a user mailed me it, so I do not know if it works.

There is something documented at:
http://www.modwest.com/help/kb5-103.html

Otherwise, please try something like this instead:
http://www.besthostratings.com/articles ... p-cgi.html

In order to get it to work in IIS, please see

Quote:

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

http://www.zend.com/manual/features.http-auth.php

If somebody can let me use some space at a webhotel running PHP as CGI, I might have the time to try to fix these things.

JAT · **Posted:** Tue Sep 05, 2006 9:42 am

@Peter,

I made some modification to the login.php of CMSimple v2.6 so wwwauth works when php is running in CGI/FastCGI

Please let me know if you want to test these mods

JAT

harteg · **Posted:** Tue Sep 05, 2006 12:21 pm

I would really appriciate a hint, yes - seems to me it is only possible when mod_rewrite is enabled.

I've made the 2.6 fix work under MS IIS:

1. In webserver admin goto Web Site Properties -> File/Directory Security -> Anonymous Access dialog box - check the "Anonymous access" checkbox and uncheck any other checkboxes (uncheck "Basic authentication," "Integrated Windows authentication," and "Digest")

2. In webserver admin under "Custom Errors" select the range of "401;1" through "401;5" and select "Set to Default".

3. If it does not work, check your php.ini that "cgi.rfc2616_headers = 0"

4. Check that PHP > 4.3.3

Archived CMSimple Support Forum

wwwauth=true on PHP as CGI on Apache

Who is online