define('USERNAME', 'administrator');
define('PASSWORD', 'temporary_Password:01');
if (!empty($_SERVER['AUTH_TYPE']) && !empty($_SERVER['REMOTE_USER']) && strcasecmp($_SERVER['REMOTE_USER'], 'anonymous')) {
if (!in_array(strtolower($_SERVER['REMOTE_USER']), array_map('strtolower', $user_allowed)) && !in_array('all', array_map('strtolower', $user_allowed))) {
echo 'You are not authorised to view this page.';
exit;
}
} else if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) || $_SERVER['PHP_AUTH_USER'] != USERNAME || $_SERVER['PHP_AUTH_PW'] != PASSWORD ) {
header( 'WWW-Authenticate: Basic realm="XenForo Administrator Login"' );
header( 'HTTP/1.0 401 Unauthorized' );
exit;
}
Just let .htaccess / .htpasswd deal with it. Btw, there's a security exploit with that code you posted.
Anyway;
Code:AuthName "admincp" AuthType Basic AuthUserFile /home/floris/private/.htpasswd AuthGroupFile /dev/null <Files admin.php> require valid-user </Files>
I misread the code, I am sure it's fine. It scrolled weird for me, overlooked something.
.htaccess/.htpassw can be used by Windows too btw. I am sure Apache works on Windows.
It's no longer referenced, it's very old.Don't want this thread to get too technical, but AFAIK $_SERVER['REMOTE_USER'] doesn't even exist...
http://www.php.net/manual/en/reserved.variables.server.php
It's a security issue that the pass is in the php code, in plain text, on it's own. But like you said, it's old code, and I am sure you're wise enough to not use it.
If you dont' use .htaccess/.htpasswd, store the data hashed with unique salt per user, in the database. his also grants you lots more control over the people that can and can not login, and you can apply tricks, so spoofing a host is a lot harder.
I wish there was a magic wand which did the updating for me :/Compared to the code you posted above, I totally believe you
$salt = "L3549155"; // this is taken from site.config.php (software configuration file)
$userhash = "SELECT hash FROM .$db_config['tbl_user']." WHERE username = '".$u."'";
$sql = "SELECT * FROM ".$db_config['tbl_user']." WHERE username = '".$u."' AND userpassword = '".md5($salt.$p.$userhash)."'";
vrtsolus, I was wondering. Do you mean that you hash it twice with two separate salts? Or that you only hash it once with the two separate salts? I'm a little confused.
md5($salt.$p.$userhash);
md5($salt.md5($userhash.$p));
<Files admin.php>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /misc/.htpasswd
Require valid-user
</Files>
We use essential cookies to make this site work, and optional cookies to enhance your experience.