Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
Is there any way to use our user database to protect access to other directories? using apache!!

a year ago I studies things like apache mod-auth-mysql and similar things, but to no avail.

This would be a very nice feature.

Sponsored Links
Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
yes it would


- Allen wavey
- What Drives You?
Joined: Aug 2000
Posts: 1,609
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,609
What are some examples of how you would use this?

Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
[]DLWebmaestro said:
What are some examples of how you would use this? [/]

in a apache .htaccess file that restricts access to a directory by username and password.

Instead of manually listing usernames and passwords, the ubbthreads database should be used.

There are some attempts in apache modules, like mod authDB (?), mod authmysl, mod auth...???; but when I tried them last year I could not get them to work with any database, much less with our database.

So basically, I want to specify, that a certain category of member of a ubbthreads board has access to some special download or picture directory.

I think a hardcore apache hacker could produce this with not too much effort!!

Joined: Aug 2000
Posts: 1,609
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,609
Okay, but what are some examples of how you would use this?

Sponsored Links
Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
I have something on a directory. Could be photos, a chat, anything.

I want it to be accessible only by forum members, or only a certain category of forum members. I simply password protect the directory, using username and password from the ubbthreads database.

It would allow to integrate almost any software with the board database, because it allows to limit access to registered members of the ubbthreads board.

This is what I would like to have this for. If I could get it to work

Joined: Nov 2001
Posts: 10,369
I type Like navaho
I type Like navaho
Joined: Nov 2001
Posts: 10,369
It's much easier to use the thereads authenticate() function as we do here with the chat mods and such. Then you can use threads user groups to control access.

Joined: Feb 2002
Posts: 1,759
Addict
Addict
Offline
Joined: Feb 2002
Posts: 1,759
I think what he's saying though.. is even if you do use the authenticate() function... if a user knows the exact URL, then can still get the file, whether authenticated or not.

For example.. say you have to login to use the chat. Granted, that stops 95% of the people from getting access to anything... but, for the smarter people, if they really wanted a file out of the /chat directory, they could try and type in the URLs in their browser until they got it right.

I guess this was brought up over at photopost as well, because typically, if you have a private gallery that you can't see unless logged on, or a certain member, then others can't gain access to it. But.. unless the directory has .htaccess setup, users could still type in the URL of those "protected" images and retrieve them.

But.. the problem is when you use .htaccess, it will prompt you for another login box, even if you are already logged into threads or likewise. So I think the ultimate goal here is to have the threads login information be passed to .htaccess so the user doesn't have to login again, yet the directory contents are as secure as possible.

Joined: Apr 2002
Posts: 1,768
Addict
Addict
Offline
Joined: Apr 2002
Posts: 1,768
I have a book on Apache that illustrates how to do this by creating a custom Apache module. It doesn't look too difficult, but I no longer have a dedicated server, so I can't experiment with it.

Joined: Nov 2001
Posts: 10,369
I type Like navaho
I type Like navaho
Joined: Nov 2001
Posts: 10,369
Oh that makes sense - like here - the download script for attachments hides the actual URL to the attachments - but if you knew the URL you could pull it down?

Sponsored Links
Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
yes, like in the games section too... you can protect the .php file with threads authentication, but they could directly access the files


- Allen wavey
- What Drives You?
Joined: Nov 2001
Posts: 10,369
I type Like navaho
I type Like navaho
Joined: Nov 2001
Posts: 10,369
Doah - so like when I want to do an "intervention" and add some code to stop you from playing Crash Down so much - you'll just be able to use the URL and feed your addiction?

LOL

Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
[]JoshPet said:
It's much easier to use the thereads authenticate() function as we do here with the chat mods and such. Then you can use threads user groups to control access. [/]

As mentioned by another poster below, this can easily be defeated. I want to implement a Java Chat, for example.

You told the the nick change function can be shut off in the paid version. Still I am sure this can be defeated. I don't want to tell her in public how someone can log in with a registered nick without the password, but I am quite sure I know of several methods.

Can you assure that in the chat no nick falsification is possible? Actually, in the case of the chat, the only safe way is to put the authentication with our database INTO the chat software. I did that once with the volano chat

Actually, I think with the .htaccess protection, if we protect all the chat files with it (the .js files), then it is hard to access the chat without the password, as the files cannot be obtained easily. But if the files are not on our server, then this would not do.

But for directories, the only safe way to protect them is apache .htaccess, not just hiding directories. Very easy to find out where they are hidden.

Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
[]Dave_L said:
I have a book on Apache that illustrates how to do this by creating a custom Apache module. It doesn't look too difficult, but I no longer have a dedicated server, so I can't experiment with it. [/]

any takers???? I think you could become famous by fixing an authentication module that simply calls some arbitrary file, passes username and password, and waits for a response: "yes" or "not approved, reason is ...."

This way people could easily write authentication scripts with any database.

I am sure someone allows you to use their server, or better just install linux dual boot on your own computer!!

Give me the link on "how to write a module", maybe this is the excuse I need to revive some of my programming skills.

This needs what? c++? c?? perl would do??


Joined: Nov 2001
Posts: 10,369
I type Like navaho
I type Like navaho
Joined: Nov 2001
Posts: 10,369
That wouldn't work for Raidersoft though. It probably would if you were hosting it yourself, but with Raidersoft all the .js files are on their server. So there'd be nothing to protect on your end.

But indeed I think some chat systems, like jpilot, have files you load on your own server.

If you are using the paid Raidersoft - they do have the ability to interface with your database.

But if you are looking for chat - I'd check out Raidersoft
http://www.sigmachat.com/features.html

With Platinum version you can take it a step further than the mod posted here
[]
Complete integration with your own user database
- Use your own website scripts (we provide complete instructions) to authenticate users based upon their username/password.
- Alternatively, you can interface directly to our user database to upload your own list of users on an individual basis. We provide you access to all the information you'll need.
[/]

But I could see where this could be really useful in protecting images and file downloads.

Joined: Apr 2002
Posts: 1,768
Addict
Addict
Offline
Joined: Apr 2002
Posts: 1,768
My current computer is on its last legs. I'm getting a new computer shortly and was planning on setting up a dual Win2K/Linux boot eventually, but that may be a while.

Here's the reference I mentioned above:

L. Stein & D. MacEachern, "Writing Apache Modules with Perl and C", O'Reilly, 1999, ISBN 1-56592-567-X, Chapter 6 (Authentication and Authorization).

Apache modules can be written in either Perl or C. I think Perl is preferable, unless you need it to be really efficient, which probably isn't the case here.

You might also check apache.org. Maybe something like this already exists.

Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
[]JoshPet said:
That wouldn't work for Raidersoft though. It probably would if you were hosting it yourself, but with Raidersoft all the .js files are on their server. So there'd be nothing to protect on your end.

But indeed I think some chat systems, like jpilot, have files you load on your own server.

If you are using the paid Raidersoft - they do have the ability to interface with your database.

But if you are looking for chat - I'd check out Raidersoft
http://www.sigmachat.com/features.html

With Platinum version you can take it a step further than the mod posted here
[]
Complete integration with your own user database
- Use your own website scripts (we provide complete instructions) to authenticate users based upon their username/password.
- Alternatively, you can interface directly to our user database to upload your own list of users on an individual basis. We provide you access to all the information you'll need.
[/]

But I could see where this could be really useful in protecting images and file downloads. [/]

great advice!!!!! I will try the free raidersoft version, later upgrade!!

Joined: Jul 1999
Posts: 118
Enthusiast
Enthusiast
Offline
Joined: Jul 1999
Posts: 118
[]Dave_L said:

Here's the reference I mentioned above:

L. Stein & D. MacEachern, "Writing Apache Modules with Perl and C", O'Reilly, 1999, ISBN 1-56592-567-X, Chapter 6 (Authentication and Authorization).

Apache modules can be written in either Perl or C. I think Perl is preferable, unless you need it to be really efficient, which probably isn't the case here.

You might also check apache.org. Maybe something like this already exists. [/]

I am not in the US< so it is probably hard to get that book. I would need something on the web.

Also the book might be outdated!! Though I am curious!! looks exciting!! At least I don't need to study C, with perl I get by.

Any further links you know, I appreciate. Or will you do it??
I think such a module is sorely needed, no clue why nobody produces it!!!


Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
isaac
isaac
California
Posts: 1,157
Joined: July 2001
Forum Statistics
Forums63
Topics37,573
Posts293,925
Members13,849
Most Online5,166
Sep 15th, 2019
Today's Statistics
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
Top Posters
AllenAyres 21,079
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,833
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2024 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20221218)