HTTP Authentication in PHP -- limit retries?
am 14.10.2007 15:08:39 von David HennessyHi! Is there any way to limit the number of retries when using HTTP
authentication in PHP?
--
TIA,
David
Hi! Is there any way to limit the number of retries when using HTTP
authentication in PHP?
--
TIA,
David
David Hennessy wrote:
> Hi! Is there any way to limit the number of retries when using HTTP
> authentication in PHP?
>
No.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Post removed (X-No-Archive: yes)
Tom wrote:
> On Sun, 14 Oct 2007 06:08:39 -0700, David Hennessy wrote...
>> Hi! Is there any way to limit the number of retries when using HTTP
>> authentication in PHP?
>>
>
> I've seen lots of sites more to web forms instead of the usual pop-up gray login
> boxes that are normally used with HTTP authentication. IF you tried using that
> method you can probably keep track of IP address information and setup
> restrictions after so many retries.
That makes sense. Do you think it would be safe to say that HTTP
authentication is insecure, since it permits infinite retries?
--
Namaste,
David
David Hennessy wrote:
> Tom wrote:
>> On Sun, 14 Oct 2007 06:08:39 -0700, David Hennessy wrote...
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> I've seen lots of sites more to web forms instead of the usual pop-up
>> gray login
>> boxes that are normally used with HTTP authentication. IF you tried
>> using that
>> method you can probably keep track of IP address information and setup
>> restrictions after so many retries.
>
>
> That makes sense. Do you think it would be safe to say that HTTP
> authentication is insecure, since it permits infinite retries?
>
Not really. If the userid and password are sufficiently long and
random, the amount of time it will take to break them can be measured in
centuries. And if someone tries a brute force attack, you will notice
it if you're watching your logs.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
David Hennessy wrote:
> Hi! Is there any way to limit the number of retries when using HTTP
> authentication in PHP?
>
Despite what everyone else says, this is possible with PHP (though not
with Apache's built-in HTTP authentication, AFAIK).
Read this:
http://us2.php.net/manual/en/features.http-auth.php
The idea is that when the user first tries to access the document, you
send an HTTP 401 header. At this point, you can also keep track of this
as an "attempt" in whatever fashion you like (local database of IP
addresses, for example). Now, each time the user types a new password
you'll check it, and if it's wrong you'll send another 401 header. Keep
track of how many times this happens, and if the number of attempts
exceeds your limit, send a 403 (forbidden) instead of a 401.
Jeremy
Jeremy wrote:
> David Hennessy wrote:
>> Hi! Is there any way to limit the number of retries when using HTTP
>> authentication in PHP?
>>
>
> Despite what everyone else says, this is possible with PHP (though not
> with Apache's built-in HTTP authentication, AFAIK).
>
> Read this:
>
> http://us2.php.net/manual/en/features.http-auth.php
>
> The idea is that when the user first tries to access the document, you
> send an HTTP 401 header. At this point, you can also keep track of this
> as an "attempt" in whatever fashion you like (local database of IP
> addresses, for example). Now, each time the user types a new password
> you'll check it, and if it's wrong you'll send another 401 header. Keep
> track of how many times this happens, and if the number of attempts
> exceeds your limit, send a 403 (forbidden) instead of a 401.
Hi Jeremy,
Do you have a reference or an example to demonstrate this? I've
extensively consulted the URL you referenced, and don't see anything to
suggest the functionality you're describing. From my own tests, it
appears that the authentication challenge pop-up does not return to the
PHP script until the user either enters a correct password or hits
"cancel" -- so there's no place to interrupt until the authentication
bit is done. Am I misunderstanding?
--
Namaste,
David
"David Hennessy"
news:k8qdnVeMRfB-oIvanZ2dnUVZ_sbinZ2d@comcast.com...
> Jeremy wrote:
>> David Hennessy wrote:
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> Despite what everyone else says, this is possible with PHP (though not
>> with Apache's built-in HTTP authentication, AFAIK).
>>
>> Read this:
>>
>> http://us2.php.net/manual/en/features.http-auth.php
>>
>> The idea is that when the user first tries to access the document, you
>> send an HTTP 401 header. At this point, you can also keep track of this
>> as an "attempt" in whatever fashion you like (local database of IP
>> addresses, for example). Now, each time the user types a new password
>> you'll check it, and if it's wrong you'll send another 401 header. Keep
>> track of how many times this happens, and if the number of attempts
>> exceeds your limit, send a 403 (forbidden) instead of a 401.
>
>
> Hi Jeremy,
>
> Do you have a reference or an example to demonstrate this? I've
> extensively consulted the URL you referenced, and don't see anything to
> suggest the functionality you're describing. From my own tests, it appears
> that the authentication challenge pop-up does not return to the PHP script
> until the user either enters a correct password or hits "cancel" -- so
> there's no place to interrupt until the authentication bit is done. Am I
> misunderstanding?
that's just not true. php is right in the middle of it all. yes, you are
misunderstanding.
have fun with this:
$headers = apache_request_headers();
if (!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}
$auth = $headers['Authorization'];
if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00"){ die('error header not
recognized'); }
if ($msg[8] == "\x01")
{
$challange = "NTLMSSP\x00\x02" . "\x00\x00\x00\x00" . // target name
len/alloc
"\x00\x00\x00\x00" . // target name
offset
"\x01\x02\x81\x01" . // flags
"\x00\x00\x00\x00\x00\x00\x00\x00" . // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00" . // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info
len/alloc/offset
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM ' . trim(base64_encode($challange)));
exit;
}
if ($msg[8] == "\x03")
{
function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start + 1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start + 5]) * 256) + ord($msg[$start + 4]);
$msg = substr($msg, $off, $len);
return $unicode ? str_replace("\0", '', $msg) : $msg;
}
$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);
echo '' . print_r($msg, true) . '
';
print "You are $user from $domain/$workstation";
}
}
?>
David Hennessy wrote:
> Jeremy wrote:
>> David Hennessy wrote:
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> Despite what everyone else says, this is possible with PHP (though not
>> with Apache's built-in HTTP authentication, AFAIK).
>>
>> Read this:
>>
>> http://us2.php.net/manual/en/features.http-auth.php
>>
>> The idea is that when the user first tries to access the document, you
>> send an HTTP 401 header. At this point, you can also keep track of
>> this as an "attempt" in whatever fashion you like (local database of
>> IP addresses, for example). Now, each time the user types a new
>> password you'll check it, and if it's wrong you'll send another 401
>> header. Keep track of how many times this happens, and if the number
>> of attempts exceeds your limit, send a 403 (forbidden) instead of a 401.
>
>
> Hi Jeremy,
>
> Do you have a reference or an example to demonstrate this? I've
> extensively consulted the URL you referenced, and don't see anything to
> suggest the functionality you're describing. From my own tests, it
> appears that the authentication challenge pop-up does not return to the
> PHP script until the user either enters a correct password or hits
> "cancel" -- so there's no place to interrupt until the authentication
> bit is done. Am I misunderstanding?
>
Yes, you are misunderstanding. Every time you enter a password, whether
it's correct or not, it is sent to the PHP script for validation.
Here's some pseudocode, using a session cookie to track number of
retries (which in practice, you probably shouldn't do):
// again, you probably shouldn't use a session mechanism
// for counting retries
session_start();
// the $_SERVER keys for authentication only work under mod_php
// valid_user is a hypothetical function that checks the l/p
if(!valid_user($_SERVER["PHP_AUTH_USER"],
$_SERVER["PHP_AUTH_PW"]))
{
// limit to 15 tries
if((++$_SESSION["login_attempts"]) > 15)
{
header("HTTP/1.1 403 Forbidden");
// show error document here if you wish
}
else
{
header("HTTP/1.1 401 Authorization Required");
}
die;
}
// if your code makes it here, it should be a valid user
// so output your document.
?>
Jeremy wrote:
> David Hennessy wrote:
>> Jeremy wrote:
>>> David Hennessy wrote:
>>>> Hi! Is there any way to limit the number of retries when using HTTP
>>>> authentication in PHP?
>>>>
>>>
>>> Despite what everyone else says, this is possible with PHP (though
>>> not with Apache's built-in HTTP authentication, AFAIK).
>>>
>>> Read this:
>>>
>>> http://us2.php.net/manual/en/features.http-auth.php
>>>
>>> The idea is that when the user first tries to access the document,
>>> you send an HTTP 401 header. At this point, you can also keep track
>>> of this as an "attempt" in whatever fashion you like (local database
>>> of IP addresses, for example). Now, each time the user types a new
>>> password you'll check it, and if it's wrong you'll send another 401
>>> header. Keep track of how many times this happens, and if the number
>>> of attempts exceeds your limit, send a 403 (forbidden) instead of a 401.
>>
>>
>> Hi Jeremy,
>>
>> Do you have a reference or an example to demonstrate this? I've
>> extensively consulted the URL you referenced, and don't see anything
>> to suggest the functionality you're describing. From my own tests, it
>> appears that the authentication challenge pop-up does not return to
>> the PHP script until the user either enters a correct password or hits
>> "cancel" -- so there's no place to interrupt until the authentication
>> bit is done. Am I misunderstanding?
>>
>
> Yes, you are misunderstanding. Every time you enter a password, whether
> it's correct or not, it is sent to the PHP script for validation.
>
> Here's some pseudocode, using a session cookie to track number of
> retries (which in practice, you probably shouldn't do):
>
>
>
> // again, you probably shouldn't use a session mechanism
> // for counting retries
> session_start();
>
>
> // the $_SERVER keys for authentication only work under mod_php
> // valid_user is a hypothetical function that checks the l/p
> if(!valid_user($_SERVER["PHP_AUTH_USER"],
> $_SERVER["PHP_AUTH_PW"]))
> {
> // limit to 15 tries
> if((++$_SESSION["login_attempts"]) > 15)
> {
> header("HTTP/1.1 403 Forbidden");
> // show error document here if you wish
> }
> else
> {
> header("HTTP/1.1 401 Authorization Required");
> }
>
> die;
> }
>
> // if your code makes it here, it should be a valid user
> // so output your document.
> ?>
Oops - you also need the "WWW-Authenticate" header after the 401 header.
Check the PHP document link for details on that.
Jeremy