[TAG] Two Cent Tip: "Remote" authentication with PHP

[Lew Pitcher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Guys

Here's another contribution. Hopefully, you can publish it as a 'two cent tip'

....

As part of a PHP web app I'm playing with, I needed to authenticate the web 
client user with a remote system. Unfortunately, this system is a mainframe 
and setting up a web-enabled authentication product on it is somewhat 
timeconsuming and requires a lot of administrivia. I wanted to avoid all 
that, so I had to come up with another way to authenticate web users 
remotely.

The one TCP/IP networked app our mainframe has available is FTP. Now, the FTP 
protocol implements security processes with the 'USER' and 'PASS'word 
commands, and our host security people have ensured that the host FTP server 
requires these two functions. In our case, the 'USER' and 'PASS' functions on 
the server interface with the ACF2 security system to validate that the given 
userid and password combination are correct, and will not let an FTP 
connection in if they aren't.

I use this little tidbit of information to let me authenticate web users of my 
Linux box by forcing their web browsers to pop up the Authentication panel, 
and sending their entered userid and password information to the host in an 
FTP 'USER' and 'PASS'word command sequence. If the host's FTP rejects the 
sequence, then the user isn't authorized, but if the host's FTP accepts the 
sequence, then the user is valid to the host. In either case, I don't 
actually transfer files over the FTP link; I simply close it unused. I only 
need it for the authentication.

Neat or what?

Here's an example PHP script that demonstrates the process. It needs an
ftp server in order to work, and is (for demonstration purposes) set up to 
talk to the ftp server at localhost...

<?php

  /*
  ** LoginPrompt() sends headers and html with the intent of
  ** inducing the web-browser to display it's built-in userid/password
  ** prompt.
  ** It sends a WWW-Authenticate header to give the authentication specs,
  **          a HTTP 401 on the current page requested by the browser, and
  **          a dummy HTML page to be displayed if the user cancels the
  **            login prompt
  ** It then exits, causing php to terminate the current transaction
  ** without further output
  */
  function LoginPrompt($URL)
  {
    /* force the login popup to show up */
    Header("WWW-Authenticate: Basic realm=\"System Login\"");
    Header("HTTP/1.0 401 Unauthorized");

    /* if the user hits Cancel, send him to a place he cant hurt us from */
    echo "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=$URL\">";

    exit;
  }

  $userid = $_SERVER['PHP_AUTH_USER'];
  $passwd = $_SERVER['PHP_AUTH_PW'];

  $validuser = "no";

  if ($userid && $passwd)
  {

    /* connect to FTP server, see if it accepts the given userid & password */
    $conn = ftp_connect("localhost") or die("Cant connect");
    if (@ftp_login($conn,$userid,$passwd))  $validuser = "yes";
    ftp_close($conn);

    if ($validuser == "no") /* bad user - try the login again */
      LoginPrompt("http://www.php.net/manual/en/features.http-auth.php");
  }
  else /* first time into this page - force the 1st login prompt */
    LoginPrompt("http://www.php.net/manual/en/features.http-auth.php");

  phpinfo();

?>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwQ9HagVFX4UWr64RAiaMAKDTLmaKTkxSQQJ3RmYTO0GXP3P5oQCgpS3B
wWDmZ3k25kC3bNVIZD7zMRQ=
=lmXt
-----END PGP SIGNATURE-----