Michelle Konzack schreef:
> Hello,
>
> I have at my hosting provider only 1 GByte of Diskspace and can install
> VHosts as much as I want. The problem is, that I have "no access" to
> the OS for OS-Level autentification.
>
> Currently I have
>
> ${CUSTOMERPATH}/htdocs/index.php
>
> which handel all VHosts and get ist config from directories like
>
> ${CUSTOMERPATH}/CONFIG_<vhost>.tamay-dogan.net/...
>
> in which I currently use files like
>
> <user>:<shadow_passwd>
>
> and then I use:
>
> ----[ STDIN ]-----------------------------------------------------------
> function login($user, $pass, $redirect) {
>
> if ($user != '' and $pass != '') {
>
> $SHADOW=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2");
> if (empty($SHADOW)) {
> header("Content-Type: text/html");
> die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font
> size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\"
> noshade=\"noshade\">The username \"$user\" does not exist.");
> }
>
> $SALT=exec("grep \"^$user:\" " . DIR_HOST . "/.shadow |cut -d: -f2 |cut
> -d$ -f1-3");
> $ENCRYPTED=crypt($pass, $SALT);
seems like a lot of pain to go through, what with all that shell'ing out to
grep data.
I'd personally go for a simple DB table and use/store sha1() hashes.
> if ($SHADOW != $ENCRYPTED) {
> header("Content-Type: text/html");
text/html is the default content-type why bother with this line?
> die("<meta http-equiv=\"refresh\" content=\"5;$redirect\">\n<font
> size=\"+2\" color=\"red\"><b>Error</b></font><hr size=\"3\"
> noshade=\"noshade\">Wrong password for user \"$user\".");
I'm not a fan of die()ing in this fashion. I would argue the function should
either
return true or false and let the caller decide what to do (e.g. show a login
form again
or something)
I'm not a fan of meta-refreshes either.
> }
> $TIME_NOW=date("U");
> $SESSID=exec("echo \"${user}${TIME_NOW}\" |md5sum |sed 's| .*||'");
> setcookie('TDSESSION', "$SESSID");
> setcookie('USER', $user);
> exec("echo '" . date("U") . " " . $user . "' >" . DIR_SESSIONS . "/" .
> $SESSID);
I smell a race condition or something ... also why go to all this trouble when
you
could just use session_start() (and stick $TIME_NOW, $user, etc in $_SESSION) ?
> }
> if (empty($redirect)) {
> $redirect="/";
> }
> header("Content-Type: text/html");
> die("<meta http-equiv=\"refresh\" content=\"0;$redirect\">");
> }
> ------------------------------------------------------------------------
>
> which is working properly...
>
> I like to know, whether this is good enough or is there a better
> solution?
>
there is always a better way ;-) ... the only real problem I envisage might be
related to file permissions on files in the DIR_SESSIONS dir ... given that this
stuff is in use, working, probably not protecting very sensitive data and the
fact that
you're probably not going to get paid to change it ... I'd leave it be and go
have a
beer or something :-)
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> 24V Electronic Engineer
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
