[pmwiki-users] Re: Secure Group with dbauth

François Bekaert fbekaert at gmail.com
Sat Aug 27 13:33:47 CDT 2005


Patrick R. Michaud <pmichaud <at> pobox.com> writes:

> 
> On Thu, Aug 25, 2005 at 06:37:18PM +0000, François Bekaert wrote:
> > Hello,
> > 
> > I want to secure a group of pages to users. I have the login and the 
> > passwords crypted by md5 in a sql table. I wanted to know how I can do 
this :
> > 
> > - Whatever the page of this group asked, if the user is not logged, 
> > redirect to a login form.
> 
> First, let's assume you're using just authuser.php.  To force logins,
> you simply set the read password for the group to be "id:*".  This
> requires that a visitor be logged in before he/she is permitted to
> view the page (and redirects the visitor to a login page if not logged
> in).
> 

Ok, I edited the GroupAttributes?action=attr and put a * in the field read.

I put authuser and dbauth in my cookbook directory

My group I want to protect is Test !

I've created a Test.php in the local directory with :
<?php
include_once('cookbook/dbauth.php');
include_once('cookbook/authuser.php');
?>

The Test.HomePage ask me a login and a password, which make me think that 
dbauth is recognized.

I try to make my tests without md5. So I configured a sql table with 
2 "colums", login and pass. I tried this in the end of dbauth.php : 
if (mysql_num_rows($result) > 0) {
    while ($r = mysql_fetch_assoc($result)) {
      $AuthUser[$r[$user]] = $r[$pass];
      echo "Password sended by dbauth for the login $r[$user]: $r[$pass]<br>";
    }

which make this :
Password sended by dbauth for the login test1: test
Password sended by dbauth for the login test2: jYBF/bt9Up3EWKj0JBnvA1
Password sended by dbauth for the login test3: $1
$z12.Av..$jYBF/bt9Up3EWKj0JBnvA1

The login test3 as a good password, which is the crypt("test",$c).

In authuser.php, I add 3 echo :

if (@$AuthUser[$id]) 
  foreach((array)($AuthUser[$id]) as $c)
    echo "Crypt of password :".crypt($pw, $c)."<br>";
    echo "Value of c : ".$c."<br>";
    if (crypt($pw, $c) == $c) { 
    	echo "login $id is authentificated";
    	AuthenticateUser($id); return; }

If I put test3 for login and test for pass, I have that :
Crypt of password :$1$z12.Av..$jYBF/bt9Up3EWKj0JBnvA1
Value of c : $1$z12.Av..$jYBF/bt9Up3EWKj0JBnvA1
login test3 is authentificated

I can see also that $GLOBALS['Authid'] is set to test3.

But, my page stay the same and ask me always a login and a pass !

Where I am wrong ?

> Now then, for the sql component- could you send me an example
> md5-encrypted password record from the sql table?  It'd really help
> if you could send a corresponding cleartext password for the as well,
> but I can work with just the encrypted value.  With that information
> I can give you the code that will authenticate logins against the
> sql table (and I can possibly incorporate it directly into the
> authuser.php script).
> 
> Pm
> 








More information about the pmwiki-users mailing list