#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    3
    Rep Power
    0

    Php authentication with apache2


    Hi
    I need to create secure directory in my apache2.
    I have directory /var/www/ with my login page and /var/www/secure/ with all the rest of my php,js and html.

    I send login request and after successful response I want to run the rest of my site from /var/www/secure/ so I call to /var/www/secure/index.php from /var/www/login.php.

    All the path in the /var/www/secure/index.php are relatives (to /var/www/secure/) but than I get an error (at the apache logs):
    “File does not exist: /var/www/scripts, referer: my_IP_Address/login.php”
    where the scripts directory locate at /var/www/secure/scripts same as /var/www/secure/index.php

    My question is why the path remain /var/www/ as the login.php file?
    How can I take care to the path once I called to the /var/www/secure/index.php

    Thanks
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,397
    Rep Power
    594
    Not enough information. What is your DocRoot? How are you accessing the secure area (URL)? What is your authentication method and how are you assuring the user is authenticated each time something in that directory is accessed? When an unauthenticated user tries to access the secure area how are they redirected to the login page which as to be in the public area?
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    3
    Rep Power
    0
    hi

    The root is /var/www/
    inside I have the the index.html (with the login page) the login.php witch send the request to the server check the response and if OK call to /var/www/secure/index.php.

    I'm access the secure area using the username and password the user entered, this is the same password I gave my apache digest authentication - URL look like this:
    http://user_nameassword@localhost:80/cgi_bin_directory/my_cgi_bin

    Authentication method: digest (apache), I return token to the client ant the client must use the token for the rest of the http request.

    Actually I don't have redirect the request just fail, I don't know how to do that.

    Thanks
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,397
    Rep Power
    594
    Yikes, where to begin?

    1) Don't put the username and password in the URL. That and the word secure are mutually exclusive.
    2) You don't need to specify port 80 in the URL as that is the default.
    3) If your login page is in DocRoot why are you going to cgi-bin?
    4) This may actually be an Apache question but I don't know yet. Post your Apache config directive (sanitized as necessary) for the 'secure' directory.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    3
    Rep Power
    0
    I build the URL on the fly as a result of what the user entered, how else can I access the secure area, I want same authentication for the apache and for my application (php and the server side)

    I'm using apache cgi bin to send all http request to my server, the request contain XML data and this is all I need so the cgi bin use as pipe for the xml only.

    This is how I configure the apache authentication:
    <Directory /var/www/secure/>
    AllowOverride All
    AuthType Digest
    AuthName "Hellow"
    AuthDigestDomain /var/www/secure/

    AuthDigestProvider file
    AuthUserFile path_to_file/my_apache_password_file
    AuthGroupFile /dev/null
    Require user myUserName
    </Directory>

    Thank you very much
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,397
    Rep Power
    594
    Access the secure area with just http://localhost/secure. The Apache directives will prompt the user for the authentication credentials and make sure the user is authenticated to access anything in that directory. You don't need any tokens or additional checking. That is the point of the directive.

    I'm not sure what you mean that cgi-bin sends all requests to your server. Are you trying to use cross domain authentication?

    As for your config:

    I think you want the last line to say
    Require valid-user

    Minor point:

    Since it is /dev/null the AuthGroupFile is unnecessary.

    The AuthDigestDomain directive looks weird. I should be a domain URI. I am guessing you really don't need it but I don't think it is causing your problem.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.

IMN logo majestic logo threadwatch logo seochat tools logo