HTTPAuth vs CGIAuth

Posted: Thu Dec 08, 2005 4:10 am

pardon my ignorance, but can someone expand upon the difference between "Admin HTTPAuth", and "Admin CGIAuth" ?

Im up to the step in the instructions where I have to set HTTPAuth but it is not listed. Sad

Is there something I can do to enable HTTPAuth? or something my host can configure ?

Cheeers !

Ding

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

HTTPAuth requires that PHP is compiled as an Apache module. This is due to needing access to certain variables that are not set when PHP is compiled as a CGI. Now, if you know/suspect that your PHP IS compiled as an Apache module and are still getting that message, then try this.

In ABMain.php
FIND
!stristr($_SERVER['SERVER_SOFTWARE'], "apache")

CHANGE TO
!stristr($_SERVER['SERVER_SOFTWARE'],
"apache")AND!stristr($_SERVER['SERVER_SIGNATURE'], "apache")

Then, in functions.php
FIND
stristr($_SERVER['SERVER_SOFTWARE'], "Apache")

CHANGE TO
(stristr($_SERVER['SERVER_SOFTWARE'],
"Apache")||stristr($_SERVER['SERVER_SIGNATURE'], "Apache"))

If HTTP Auth still does not show up in the drop down box, then you will have to use CGIAuth. I will be adding that in the next release of NukeSentinel(tm).

CGIAuth uses a different method to encode and check the id/pass. It must use a separate id/pass file (.staccess in this case). They bot achieve the same goal but in different ways.

Hangin' Around Joined: Nov 23, 2005 Posts: 43

i edited 1 file - .htaccess

Code:




# -----------------------------------------------------------------------------------------------------


# Leave this block commented out unless HTTPAuth is NOT available in your NukeSentinel(tm) Admin Panel.


# This code is mainly for use with CGI Authentication and most servers do not require it.


# -----------------------------------------------------------------------------------------------------


 <Files admin.php>


    <Limit GET POST PUT>


       require valid-user


    </Limit>


    AuthName "Restricted"


    AuthType Basic


   AuthUserFile /mypath/public_html/.staccess


 </Files>


#

i just uncommented that section.
works like a charm

Posted: Thu Dec 08, 2005 1:41 pm

ok, sounds like I want either to use httpauth if it is available or else I need to wait for you to finish work on cgiauth.

I would prefer option 1 so I will ask my host if this is available.

I want to get it right on this install, because I have quite a few websites that I plan on upgrading to this distro. My plan is to take your base install, configure al the security settings to suit my admin needs, add the better menu, a photo gallery, a calendar, a "contact us" module, a "about us" module, and a donations module. I only want to do all that once, so I will then export the db and tar up the files. I can then drop it into other directories for new installs.

So, if my host does not offer httpauth, how long (ballpark guess) until the next version that includes cgiauth? and if you have any comments/improvements to my plan, I would love to hear them before I get too far.

Cheers!

Ding

Posted: Thu Dec 08, 2005 1:57 pm

Finish what work? It works right out of the box.

Posted: Thu Dec 08, 2005 2:58 pm

???

dont you read anything else but your posts and raven's?
cgi auth works FINE if you just remove the "#" at that specific section of the file .htaccess...

here it is for you again:

this is from the .htaccess file:

# -----------------------------------------------------------------------------------------------------
# Leave this block commented out unless HTTPAuth is NOT available in your NukeSentinel(tm) Admin Panel.
# This code is mainly for use with CGI Authentication and most servers do not require it.
# -----------------------------------------------------------------------------------------------------

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /mypath/public_html/.staccess
</Files>

lets count together: 1-2-3-4-5-6-7-8!!
8 lines to remove the # at the start of the line!

RTFM

Posted: Thu Dec 08, 2005 3:01 pm

Quote:

Finish what work? It works right out of the box.

sorry, maybe I missed something. I was following the instructions for configuring the system, and at the point where it says to choose HTTPAuth, there is a note saying that if HTTPAuth is not there, to refer to the forums on how to configure CGIAuth.

Then, in your last post you said:

Quote:

If HTTP Auth still does not show up in the drop down box, then you will have to use CGIAuth. I will be adding that in the next release of NukeSentinel(tm).

So that is the *work* I meant.

I was planning on perusing the forums tonight to see what exactly would be involved in manually configuring CGIAuth in case the next release is a while off, but I have not even started looking at it yet.

Cacat, regarding your post:

Quote:

dont you read anything else but your posts and raven's?
cgi auth works FINE if you just remove the "#" at that specific section of the file .htaccess...

I was not sure what you meant, and am still a bit mistified... I have to assume you mean IF the host has configured their server to use php as a apache module and the UI is not displaying the httpAuth option in the dropdown list, your *fix* will work. Since the host may not have made this configuration, I don't see how changing the .htaccess file will change how the server works. Or am I missing something?

Cheers,

Ding

Posted: Thu Dec 08, 2005 3:21 pm

Raven wrote:

I will be adding that in the next release of NukeSentinel(tm).

What that meant was I will be adding the code correction to identify Apache as opposed to you having to patch it yourself. The CGI process is really very simple. Uncomment the code in .staccess as instructed. Make sure to chmod .staccess to 777. Then goto Admin Auth List and you should see a link to setup CGI. I think I stated it all. Try it and if you can't figure it out let us know. Sorry for the miscue Wink

Posted: Thu Dec 08, 2005 3:31 pm

i meant this:
there is no http auth in nuke sentinel's cpanel, so you are forced to choose one cgi auth or nohting. you choose cgi.

then--->

all you have to do , i mean ALL, for the cgi auth to work is to UNcomment those 8 lines.
no code to add, edit or to look for, no server config, no nuke modifications, nothing.

make sure it is selected in the nuke admin panel as well....

this "*FIX*" is not a fix, it is just the way it is meant to be. it was designed like this.

both work with .htaccess in similar but not 100% the same ways.
uncomment the ones for cgi and you ar set.
that will be $50 - $15 for my time and $35 for raven's

thank you, drive thru

registered · Posted: Thu Dec 08, 2005 5:04 pm

Don't take this the wrong way. It's not a severe criticism, or anything -- just adding to the conversation...

Whenever possible, I use cookie auth (session based auth). Personally, I feel more comfortable (as an admin) being able to control the session time-out length and so forth, and (as a user) being able to logout, which is a pain to handle with HTTP auth, you know? Wink

Posted: Thu Dec 08, 2005 5:58 pm

Vin,

I didn't take anything the wrong way. Setting HTTP Auth to log a user out is really not a pain. There are several ways to do it through the Header function.

Posted: Thu Dec 08, 2005 8:25 pm

Raven wrote:

Setting HTTP Auth to log a user out is really not a pain. There are several ways to do it through the Header function.

Heh! I wish the ppl at cPanel would figure that out!

Everytime I use cPanel, to log out, I have to quit my browser. They provide a button, but this 'log off' function doesn't work with Firefox. How do you get around browser-specific issues like this?

Posted: Fri Dec 09, 2005 12:40 am

I just ran across this thread on another site. Perhaps this will make the point better...

Quote:

Raven (another Raven - not our Raven): Is it just me... or does the logout button not work in the CP? I'm using Firefox 1.0.

JonathanB: I've been using the family of Mozilla browsers for quite a while and I don't believe the logout button ever worked with those browsers.

sycopathman: I can't log out either.

VinDSL: All that button does is close your browser. You can do that manually, if you want to.

jason: CPanel uses HTTP authentication. Apache pretty much sums it up in their documentation with this:

Quote:

How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

CPanel does, however, get around this in webmail, where the logout link does work. I'm not exactly sure how they implement that, but I'm curious to find out.

Raven: At times I do login to the control panel from computers other than my personal one, so in reality it does make a difference to me. Wink

But, I did assume that the logout did more than just close the browser window. Now that I know more about the situation, thanks to jason, I can let go of my worries.

VinDSL: Look, once you are authenticated, using basic auth, you stay authenticated as long as the browser is open. If you close the browser, manually or otherwise, you have to authenticate again. If you'll pardon the pun, this is 'basic authentication' 101...

All that button does is close your browser...

Here's the actual code:

Code:

"<a href="#" onClick="self.close()"><img src="images/topbar_logout.gif" width="55" height="45" border="0"></a>

That button is just a convenience... a 'crutch', if you will... and that code doesn't work with Mozilla browsers...

Cookie authentication is a whole different matter. It doesn't matter if you close the browser or not. The cookie lives as long as it lives. Many times, it will live 'forever' (I've seen cookies that are set to expire in 2038). So, if you use a public terminal, like at work, ALWAYS make sure that you not only close the browser, but you delete all the cookies. Otherwise, you're leaving yourself wide open!

This is probably where you are confused, Raven... With cookie auth, when you logout, you are killing the cookie. You don't have to close the browser to kill the cookie. With 'basic auth', you cannot kill auth until you close the browser. In other words, you cannot logout using 'basic auth' the same way you do with cookies...

phluidphil: as a side note, if you *truely* want to logout of cpanel, make sure *ALL* mozilla browser windows are closed and associated e-mail programs. If you leave mozilla mail open it will still keep your basic auth. information in memory even if you have all mozilla browser windows closed.

This goes for all browsers and their associated email program. (Firefox, Mozilla, IE).

For me it's all about logging out -- well, that and some aesthetic considerations. HTTP auth looks pretty kludgey, as implimented in most browsers, you know? Wink

Posted: Fri Dec 09, 2005 1:15 am

I'm heading into bed right now but I have some code somewhere that sets an expire date so that the next time you try to go into admin.php (as an example) and HTTPAuth is active, it knows to reissue it. It's the same principle.

Posted: Fri Dec 09, 2005 1:34 am

Here's some cuties! A whole page of solutions to the log out conundrum:

http://us3.php.net/features.http-auth

Specifically:

http://www.free-php.org/index.php?cat_select=HTTP&show=HTTP_Authentication

Isn't the web a fun place? I swear -- learn something new every day... Very Happy

Posted: Fri Dec 09, 2005 6:02 am

And you saved me the trouble of having to dig mine up Wink

Hangin' Around Joined: Mar 28, 2005 Posts: 42

Quote:

i edited 1 file - .htaccess

Where is the .htaccess file located? I'm wanting to take the plunge and activate this.

Posted: Sun Dec 18, 2005 1:44 am

root dir of your phpnuke

Posted: Sun Dec 18, 2005 5:56 am

addy wrote:

Quote:

i edited 1 file - .htaccess

Where is the .htaccess file located? I'm wanting to take the plunge and activate this.

You do not need .htaccess to use HTTP Auth. You do need it for CGIAuth.

Posted: Sun Dec 18, 2005 12:22 pm

I'll be using CGIauth.

Was it not included in the 7.6 package? It might also be hidden so I'll check that as well...

Posted: Sun Dec 18, 2005 3:04 pm

CGI and HTTP Auth is a function of the Browser, so yes, it's included Wink

Basically, here's what you do.

- Change your permissions on both .htaccess and .staccess to 777.
- Place the paths to .htaccess and .staccess in the Admin Control Panel
- Select CGI Auth Access
- From the NukeSentinel Admin Control Panel, select Scan For New Admins.
- Now select Admin Auth List and make sure that all admins have been assigned passwords.
- Now, you should see a link that says Build CGIAuth file: -- Click it. That will build your .staccess id:pass file.
- Now back in the main NS ACP, in the .staccess box, you will see a link that says CGI Auth Setup -- click it. It should produce a new window with the following information.
Save this in .htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

USERNAME will be your username and the path may be different

- Copy and paste that into your .htaccess file.

That is the procedure. It sounds more complicated than what it is and I took you the long way around hoping you'd understand it.

Posted: Tue Dec 27, 2005 5:04 pm

Quote:

It should produce a new window with the following information.
Save this in .htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

USERNAME will be your username and the path may be different

When I click to build it just flashes back to the same page - nothing pops up with that information. I have made sure my blockers are off and the path it recommended for the .htaccess and .staccess are the only ones the admin pannel would take.

Posted: Tue Dec 27, 2005 8:00 pm

So just copy and paste the code above and modify it with your information.

Posted: Tue Dec 27, 2005 10:08 pm

Any particular line in the .htaccess file or anywhere will do?

I'm also not following the username and path..

Quote:

/home/USERNAME/public_html/.staccess

I have the paths just as they were in the bundle so I'm guessing the only thing I should change is the admin user name in the middle?

Posted: Tue Dec 27, 2005 10:28 pm

Place that code, exactly as shown, at the beginning of .htaccess. The AuthUserFile /home/USERNAME/public_html/.staccess is the absolute path to your .staccess file, as shown in your NukeSentinel(tm) ACP.