Hi Richard,
Richard Lynch <[EMAIL PROTECTED]> said:
> > I want to use PHP4 sessions for authentication, but I'm having difficulty
>
> If it's as important as all that, go with SSL.
>
Ah, I'll be using SSL for the original authentication anyway. But the users
will be browsing using regular HTTP, which means I need a session to *keep*
them authenticated. I could use HTTP-AUTH of course, but I don't particularly
want to - some users don't seem to be able to understand it (I kid you not).
> Otherwise, live with the risk and just use HTTP Basic Authentication,
> perhaps via PHP sending the headers.
>
See above.
> Unsolicited (and only slightly related) Tip: I recently figured out that
> RaQ servers
>
I am on a RaQ(4) right now, gods love me, but this is an across the board
thing. I'm developing this for my customers use, but I'll be releasing it as
open source later. So it needs to be as compatible as possible, and cater for
all possible eventualities - including users who don't use cookies and don't
understand HTTP-AUTH. It's a wee bit ironic you mentioned it too, because
I'll be using it to create a server management interface, so I can dump the
RaQ altogether. They're great little machines, but they're about as secure as
my tummy after 10 pints of Heineken. (Too graphic? :)
> have some funky-ass httpd.conf settings already in them
>
Very funky actually. They use Perl Sections (mod_perl) to configure the SSL
VirtualHosts on the fly when httpd is started. I'm experimenting with it
meself at the moment, but I'm going to use PHP instead of Perl, because
mod_perl makes for very fat httpd processes, which is pretty annoying when
you don't even use it on the server. Unfortunately, PHP can't be embedded in
httpd.conf (add that to the wish list lads), so I'm building a custom
apachectl to read configuration data from a MySQL database and build a
httpd.conf, and then start Apache with that confid file. It's really quite
cool, even if I do say so myself. :)
> doing HTTP Basic Authentication already, so trying to do HTTP Basic
> Authentication via .htaccess just plain won't work. (Or, rather, it will
> only work for users already defined in their goofy interface...)
>
Kind of, but not really. Actually a RaQ has two httpd's running, one
listening on ports 80 and 443, and one listening on 81. The regular httpd
uses mod_rewrite to listen for requests for secured areas
(/admin, /siteadmin, /personal and /stats on boxes that use Webalizer), and
redirects to the port 81 server, which then authenticates using the users and
groups defined on the machine. So you can use HTTP-AUTH as normal on the
regular httpd, as long you define your AuthUserFile/AuthGroupFile's
correctly, and the HTTP-AUTH protected areas don't clash with the RaQ secured
areas. The server is configured with 'AllowOverride none' by default though,
but you just need to change it to 'AuthConfig' to fix that.
> PHP sending the headers, however, works just fine and dandy. :-)
>
Yip.
> I have decided I don't really like RaQ servers. They don't totally suck,
> especially if you're in a hurry, but if you can do it a little later and
> way better, don't go RaQ. YMMV.
>
Well, it the same old problem, isn't it? Convenience V security. The RaQ's
are *very* convenient for a small but reasonably busy webdev/hosting company
that doesn't have their own interface. When it comes to security though, it's
not the best solution in the world by any manner of means. But if we were to
be 100% secure all the time, everyone would use SSH and SC. If only life were
that simple... :)
Like I said above though, I'll be losing the RaQ as soon as I get the chance.
I'd prefer to write and use my own code, I'd prefer to take the
responsibility myself. And I'd just like to point out that I'm on this box
now for conveniences sake, because it's closer to home than my prefered box
(Red Hat, sorry :).
Anyway, thanks Richard,
adam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
