1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Protecting Admin CP with HTTP auth

Discussion in 'XenForo Pre-Sales Questions' started by Boothby, Aug 14, 2010.

  1. Boothby

    Boothby Active Member

    I protect my admincp with HTTP authentication. Is this still possible with XenForo?
  2. Mike

    Mike XenForo Developer Staff Member

    Yes, though the rule is a bit different as it's on a particular file.
    Boothby likes this.
  3. Shamil

    Shamil Well-Known Member

    I suppose one could use this:

    define('USERNAME', 'administrator');
    define('PASSWORD', 'temporary_Password:01');
        if (!empty($_SERVER['AUTH_TYPE']) && !empty($_SERVER['REMOTE_USER']) && strcasecmp($_SERVER['REMOTE_USER'], 'anonymous'))   {
    if (!in_array(strtolower($_SERVER['REMOTE_USER']), array_map('strtolower', $user_allowed))  && !in_array('all', array_map('strtolower', $user_allowed)))    {
    echo 'You are not authorised to view this page.';
    }   else if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ||   $_SERVER['PHP_AUTH_USER'] != USERNAME || $_SERVER['PHP_AUTH_PW'] != PASSWORD ) {
    header( 'WWW-Authenticate: Basic realm="XenForo Administrator Login"' );
    header( 'HTTP/1.0 401 Unauthorized' );
  4. Floris

    Floris Guest

    Just let .htaccess / .htpasswd deal with it.


    AuthName "admincp"
    AuthType Basic
    AuthUserFile /home/floris/private/.htpasswd
    AuthGroupFile /dev/null
    <Files admin.php>
    require valid-user
  5. Shamil

    Shamil Well-Known Member

    That works on linux, for Windows people, they could protect by using IIS' basic auth mechanism. Floris, can you PC me with details of the exploit?
  6. Floris

    Floris Guest

    I misread the code, I am sure it's fine. It scrolled weird for me, overlooked something.

    .htaccess/.htpassw can be used by Windows too btw. I am sure Apache works on Windows.
  7. Shamil

    Shamil Well-Known Member

    Phew, I was going to scream. (It's the standard script login issue for a few admin pages on a few of my sites.)
    I keep forgetting that people use Apache on Windows. I'm going to try it, some day.
  8. Erik

    Erik Well-Known Member

  9. Shamil

    Shamil Well-Known Member

  10. Floris

    Floris Guest

    It's a security issue that the pass is in the php code, in plain text, on it's own. But like you said, it's old code, and I am sure you're wise enough to not use it.
  11. Shamil

    Shamil Well-Known Member

    Yeah, I'm slowly updating the remaining sites which use that code. The new system uses an AJAX login. More secure and easier.
  12. Floris

    Floris Guest

    If you dont' use .htaccess/.htpasswd, store the data hashed with unique salt per user, in the database. his also grants you lots more control over the people that can and can not login, and you can apply tricks, so spoofing a host is a lot harder.
  13. Andy Huang

    Andy Huang Well-Known Member

    .htaccess method offers another benefit: Ability to share SSO with SVN, MediaWiki, and any other applications that you may use which offers support on .htaccess type of authentication :)
  14. Shamil

    Shamil Well-Known Member

    Yep, I'm using nearly the same mechanism as I thought vB was using. The intranet software uses two salts, one user specific and other site instance specific.
  15. Floris

    Floris Guest

    Compared to the code you posted above, I totally believe you :)
  16. Shamil

    Shamil Well-Known Member

    I wish there was a magic wand which did the updating for me :/

    $salt = "L3549155"; // this is taken from site.config.php (software configuration file)
    $userhash = "SELECT hash FROM .$db_config['tbl_user']." WHERE username = '".$u."'";
    $sql = "SELECT * FROM ".$db_config['tbl_user']." WHERE username = '".$u."' AND userpassword = '".md5($salt.$p.$userhash)."'";
    My method of authentication isn't the best, but I'm currently looking at the main functionality.

    Back on topic though, it is possible.
  17. Ben Davis

    Ben Davis Active Member

    vrtsolus, I was wondering. Do you mean that you hash it twice with two separate salts? Or that you only hash it once with the two separate salts? I'm a little confused.
  18. Shamil

    Shamil Well-Known Member

    This is what I do:

    where $userhash is the defined hash for that specific user.

    I did consider

  19. Floris

    Floris Guest

    If you have a secret passwords, and hash it.
    If you have a secret salt, and hash it.

    It's the same.

    A hash, without a salt.

    Rainbow table the md5 and you get the secret salt (or secret pass) ..

    So you need to have a unique salt for the hash, not hash the unique salt.

    And that's how vBulletin basically did it:

    md5(md5(md5('password') . user.salt) . licensenumber)
    vrtsolus likes this.
  20. Brogan

    Brogan XenForo Moderator Staff Member

    I just had my IP server blocked by my host due to exceeding the number of attempts whilst trying to get password protection on my admin.php :D

    As far as I can see everything looks correct but it just won't work :confused:

    What is the path for the AuthUserFile?
    Is it relative to the .htaccess or static from the server root?

    I have this in my .htaccess file which is in the same directory as admin.php:
    <Files admin.php>
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /misc/.htpasswd
    Require valid-user
    And then in the /misc directory (which is under my domain root - cliptheapex.com/misc), I have the .htpasswd file.

    It just won't work though and I've tried every path I can think of: home/misc, ../misc, /misc, etc.

Share This Page