wwwauth=true on PHP as CGI on Apache

JAT · **Posted:** Tue Sep 05, 2006 12:51 pm

OK Peter,

this is what I've done

1. create a .htaccess file in the root of the cmsimple webserver (where the cmsimple folders are located)
The .htacces file contains the following code

Code:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

2. I modified the login.php file in the cmsimple folder

Code:

<?php
/*
CMSimple version 2.6 - July 6. 2006
Small - simple - smart
© 1999-2006 Peter Andreas Harteg - peter@harteg.dk

This file is part of CMSimple.
For licence see notice in /cmsimple/cms.php and http://www.cmsimple.dk/?Licence
*/

/*
MODIFIED BY JAT TO SUPPORT WWWAUT when CGI is enabled
See remarks in the content of this file
*/

if (eregi('login.php',sv('PHP_SELF')))die('Access Denied');

// functions used for login

function gc($s)
{
  if(!isset($_COOKIE))
  {
    global $_COOKIE;
    $_COOKIE=$GLOBALS['HTTP_COOKIE_VARS'];
  }
  if(isset($_COOKIE[$s]))return $_COOKIE[$s];
}


function logincheck(){global $cf;if($cf['security']['wwwaut']=='true')return (sv('PHP_AUTH_USER')==$cf['security']['username']&&sv('PHP_AUTH_PW')==$cf['security']['password']);else return (gc('passwd')==$cf['security']['password']);}

function writelog($m){global $pth,$e;if($fh=@fopen($pth['file']['log'],"a")){fwrite($fh,$m);fclose($fh);}else {e('cntwriteto','log',$pth['file']['log']);chkfile('log',true);}}

// if(gc('status')!=''||$login){header('Cache-Control: no-cache');header('Pragma: no-cache');}

// ADDED BY JAT
if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))
{
  list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
}
// END ADDED BY JAT

$adm=(gc('status')=='adm'&&logincheck());
if($login&&!$adm)
{
  if($cf['security']['wwwaut']!='true')
  {
    if($passwd==$cf['security']['password'])
    {
      setcookie('status','adm');
      setcookie('passwd',$passwd);
      $adm=true;
      $edit=true;
      writelog(date("Y-m-d H:i:s")." from ".sv('REMOTE_ADDR')." logged_in\n");
    }
    else
    {
      // ADDED BY JAT
      header("Refresh: 5;URL=./index.php");
      // END ADDED BY JAT
      shead('401');
    }
  }
  else
  {
    if(sv('PHP_AUTH_USER')==''||sv('PHP_AUTH_PW')==''||gc('status')=='')
    {
      // In a future version of CMSimple this new Server API check will replace the setting of a variable
// <-- REMOVED BY JAT -->
//      if($cf['security']['wwwaut']=='true'&&(php_sapi_name()=='cgi'||php_sapi_name()=='cgi-fcgi'))
//      {
//        $e.='<li>security_wwwaut should only be set true, when Server API is apache - your is '.php_sapi_name().' - please see <a href="http://www.cmsimple.dk/?Requirements">http://www.cmsimple.dk/?Requirements</a>';
//      }
//      else
//      {
// <-- END REMOVED BY JAT -->
        setcookie('status','login');
        header('WWW-Authenticate: Basic realm="'.$tx['login']['warning'].'"');
        shead('401');
// <-- REMOVED BY JAT -->
//      }
// <-- END REMOVED BY JAT -->
    }
    else
    {
      if(logincheck())
      {
        setcookie('status','adm');
        $adm=true;
        $edit=true;
        writelog(date($tx['log']['dateformat']).' '.sv('REMOTE_ADDR').' '.$tx['log']['loggedin']."\n");
      }
      else
      {
// <-- ADDED BY JAT -->
        header("Refresh: 5;URL=./index.php");
        unset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']);
        unset($_SERVER['PHP_AUTH_PW']);
        unset($_SERVER['PHP_AUTH_USER']);
// <-- END ADDED BY JAT -->
        shead('401');
      }
    }
  }
}
else if($logout&&$adm)
{
  $fn=date("YmdHis").'.htm';
  if(@copy($pth['file']['content'],$pth['folder']['content'].$fn))
  {
    $o.='<p>'.ucfirst($tx['filetype']['backup']).' '.$fn.' '.$tx['result']['created'].'</p>';
    $fl=array();
    $fd=@opendir($pth['folder']['content']);
    while(($p=@readdir($fd))==true)
    {
      if(preg_match("/\d{3}\.htm/",$p))$fl[]=$p;
    }
    if($fd==true)closedir($fd);
    @sort($fl,SORT_STRING);
    $v=count($fl)-$cf['backup']['numberoffiles'];
    for($i=0;$i<$v;$i++)
    {
      if(@unlink($pth['folder']['content'].'/'.$fl[$i]))$o.='<p>'.ucfirst($tx['filetype']['backup']).' '.$fl[$i].' '.$tx['result']['deleted'].'</p>';
      else e('cntdelete','backup',$fl[$i]);
    }
  }
  else e('cntsave','backup',$fn);
  $adm=false;
// <-- ADDED BY JAT -->
  header("Refresh: 5;URL=./index.php");
// <-- END ADDED BY JAT -->
  setcookie('status','');
  setcookie('passwd','');
  $o.='<p><font color="red">'.$tx['login']['loggedout'].'</font></p>';

}

// SETTING FUNCTIONS AS PERMITTED

if($adm)
{
  if($edit)
  {
    setcookie('mode','edit');
  }
  if($normal)
  {
    setcookie('mode','');
  }
  if(gc('mode')=='edit'&&!$normal)
  {
    $edit=true;
  }
}
else
{
  if(gc('status')!='')
  {
    setcookie('status','');
  }
  if(gc('mode')=='edit')
  {
    setcookie('mode','');
  }
}
?>

3. Change the cmsimple configuration settings

Code:

wwwaut = true

Tested on a XAMP system (spec's see my previous post) with cmsimple v2.6

Important notice:
- mod_rewrite must be loaded on the apache server !!!
- .htaccess with must be located in the root of the cmsimple installation

Maybe this is not the correct way to include wwwaut when php is running in CGI but it works fine on my development system...

Feedback is much appreciated...

Jan Kanters - aka JAT from belgium

harteg · **Posted:** Wed Sep 06, 2006 7:22 am

I did try these things yesterday, but mod_rewrite was not accessible on the CGI webhotel. Even some webhotels do not allow the use of .htaccess files.

I hoped, that there was some other way to do it - like the script I recieved long time ago (the begining of this thread) ...

heggie · **Joined:** Fri Aug 25, 2006 1:42 pm **Posts:** 8

Hi Peter / JAT

I did install the new version 2.6 fix 6 on a php apache cgi server.
I put the WWWAUT on true and added the rewrite lines to the .htaccess file and it works. I can now login with username and password.

I don't understand how it works, but it does.... great

Thanks!

JAT · **Posted:** Mon Sep 11, 2006 11:40 am

heggie,

thanks for the feedback...
can you please send some phpinfo of the server where you tested the modifications, so I can make some reference documentation ?

Thanks in advance...

JAT

harteg · **Posted:** Mon Sep 11, 2006 12:44 pm

BTW - the only things I needed to change was inserting this in beginning of login.php

Code:

if((!$_SERVER['PHP_AUTH_USER']||!$_SERVER['PHP_AUTH_USER'])&&preg_match('/^Basic.*/i', $_SERVER['REMOTE_USER']))list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])=explode(':',base64_decode(substr($_SERVER['REMOTE_USER'],6)));

- and also needed to fix cms.php's function shead to use status when cgi - it was a bug, that it didn't.

JAT · **Posted:** Mon Sep 11, 2006 1:01 pm

Peter,

just tested with CMSimple v2.6 fix 6
your login.php approach doesn't work on my test system (as described in a previous thread) ...

It allway's asks the username/password

When I use the login.php as I've give in the forum, the wwwauth works again...

JAT

harteg · **Posted:** Mon Sep 11, 2006 4:53 pm

JAT - is is possible for me to get a FTP-login for your test site?

JAT · **Posted:** Mon Sep 11, 2006 7:44 pm

Peter,

this isn't possible because this is a isolated test invironment (separated network @ home)

By on my laptop I encounter the same issue's when using XAMP

JAT

harteg · **Posted:** Tue Sep 12, 2006 1:26 pm

You didn't have to modify function shead?

Are you sure you updated .htaccess to use REMOTE_USER instead of
REDIRECT_HTTP_AUTHORIZATION ?

JAT · **Posted:** Tue Sep 12, 2006 2:16 pm

Peter,

I didn't change anything to the shead function...

also, please include the content of the .htaccess file you're using
(looked into v2.6 fix 6 but it isn't included - or I must have overlooked it)

Thanks for the support

JAT

harteg · **Posted:** Tue Sep 12, 2006 2:55 pm

Please try with:

Code:

RewriteEngine onRewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

I did write documentation this time ;-)

http://www.cmsimple.dk/?Installer%27s_M ... thenticate

Also, please test the update of shead function in cms.php - I found docs on internet saying, that status headers should be used when CGI / FastCGI - on the test CGI servers I used it did give errors not using status.

JAT · **Posted:** Tue Sep 12, 2006 3:39 pm

Peter,

I got it working now... using the .htaccess as you indicated on your website
but I had to change the code to

Code:

if((!$_SERVER['PHP_AUTH_USER']||!$_SERVER['PHP_AUTH_USER'])&&preg_match('/^Basic.*/i', $_SERVER['REDIRECT_REMOTE_USER']))
{
   list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])=explode(':',base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'],6)));
}

prefix REDIRECT_ is needed on my system

tested om my XAMP system
- PHP 5.0.5
- Apache 2.0.54
- Server API : CGI/FastCGI

JAT

harteg · **Posted:** Tue Sep 12, 2006 4:33 pm

Seems like it should also check "REDIRECT_REMOTE_USER" if "REMOTE_USER" is not set ...

harteg · **Posted:** Wed Sep 13, 2006 8:43 am

JAT - please test on your system if fix7 is OK.

JAT · **Posted:** Wed Sep 13, 2006 11:02 am

Peter,

thanks, now the wwwauth seems to function on my development system (CGI/FastCGI)

JAT

Archived CMSimple Support Forum

wwwauth=true on PHP as CGI on Apache

Who is online