docman2/htusers/header.php

<?

/*
        Document manager handling for authentification of users
        based on:
        * refearer header from remote browser (it's really easy to forge this)
        * remote IP address
        * remote DNS hostname

        Written by Dobrica Pavlinusic <dpavlin@rot13.org>

        Usage example:

docman.conf:

$gblUsers = "htusers_header";
        
.htusers examples:

REMOTE_ADDR=10.0.0.3:Dobrica (client ip):auth_header:dpavlin@foo.bar
        will match exact IP adress
remote_hostname=hbreyer2:Dobrica (hostname):auth_header:dpavlin@foo.bar
        will match exact hostname
http_referer=test.foo.bar:Dobrica (by referer):auth_header:dpavlin@foo.bar
        will match user which comes from site test.foo.bar
remote_user=dpavlin:Dobrica (by server http auth):auth_header:dpavlin@foo.bar
        will match user "dpavlin" which is authetificated using .htaccess

*/

        $htusers_file=dirname($SCRIPT_FILENAME)."/.htusers";

        $cookie_name="docman_autologin";
        $cookie_val=md5($htusers_file.$GLOBALS[REMOTE_ADDR]);
        $cookie_val_force=md5($htusers_file.$GLOBALS[REMOTE_USER]);

        if (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val) {
                // no PHP_AUTH_PW set
                $login_allowed=1;
        } elseif (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val_force) {
                // PHP_AUTH_PW is set, force login!
                $force_login_allowed=1;
        } else {
                $login_allowed=0;
        }

        $force_login_allowed=0;

        $htusers=fopen($htusers_file,"r");
        while($user = fgetcsv($htusers,255,":")) {
                if ( $user[2]=="auth_header" ) {
                        $tmp = explode("=",$user[0]);
                        if (stristr($tmp[0],"REMOTE_ADDR") && $tmp[1] == $GLOBALS[REMOTE_ADDR]) $login_allowed=1;
                        elseif (stristr($tmp[0],"REMOTE_hostname")) {
                                $remote_hostname=gethostbyaddr($GLOBALS[REMOTE_ADDR]);
                                // remove everything after first dot
                                $remote_hostname=substr($remote_hostname,0,strpos($remote_hostname,"."));
                                if ($tmp[1] == $remote_hostname) $login_allowed=1;
                        } elseif (stristr($tmp[0],"http_referer")) {
                                //error_log("$tmp[0]: $tmp[1] ?? $GLOBALS[HTTP_REFERER]",0);
                                if (isset($GLOBALS[HTTP_REFERER]) && stristr($GLOBALS[HTTP_REFERER],$tmp[1])) {
                                        setcookie($cookie_name,$cookie_val_force,time()+3600);
                                        $login_allowed=1;
                                        //error_log("$tmp[0]: $tmp[1] == $GLOBALS[HTTP_REFERER]",0);
                                }
                        } elseif (stristr($tmp[0],"remote_user") && isset($GLOBALS[AUTH_TYPE]) && isset($GLOBALS[REMOTE_USER])) {
                                if ($GLOBALS[REMOTE_USER] == $tmp[1]) {
                                        $force_login_allowed=1;
                                }

                        }
                        //error_log("$tmp[0]: $tmp[1] == $GLOBALS[REMOTE_USER] go!go!go! $login_allowed|$force_login_allowed|$PHP_AUTH_PW",0);
                        if (($login_allowed && !isset($GLOBALS[gblPasswd])) || ($force_login_allowed && isset($GLOBALS[gblPasswd]))) {
                                $gblUserName=$user[1];
                                // make fake login credentials
                                $GLOBALS[gblPasswd]=$GLOBALS[gblLogin]=$user[0];
                                $secHash=md5($GLOBALS[gblLogin].$GLOBALS[gblPasswd]);
                                $gblEmail=$user[3];
                                break ;
                        }
                }
        }
        fclose($htusers);

?>
1	<?
2
3	/*
4	Document manager handling for authentification of users
5	based on:
6	* refearer header from remote browser (it's really easy to forge this)
7	* remote IP address
8	* remote DNS hostname
9
10	Written by Dobrica Pavlinusic <dpavlin@rot13.org>
11
12	Usage example:
13
14	docman.conf:
15
16	$gblUsers = "htusers_header";
17
18	.htusers examples:
19
20	REMOTE_ADDR=10.0.0.3:Dobrica (client ip):auth_header:dpavlin@foo.bar
21	will match exact IP adress
22	remote_hostname=hbreyer2:Dobrica (hostname):auth_header:dpavlin@foo.bar
23	will match exact hostname
24	http_referer=test.foo.bar:Dobrica (by referer):auth_header:dpavlin@foo.bar
25	will match user which comes from site test.foo.bar
26	remote_user=dpavlin:Dobrica (by server http auth):auth_header:dpavlin@foo.bar
27	will match user "dpavlin" which is authetificated using .htaccess
28
29	*/
30
31	$htusers_file=dirname($SCRIPT_FILENAME)."/.htusers";
32
33	$cookie_name="docman_autologin";
34	$cookie_val=md5($htusers_file.$GLOBALS[REMOTE_ADDR]);
35	$cookie_val_force=md5($htusers_file.$GLOBALS[REMOTE_USER]);
36
37	if (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val) {
38	// no PHP_AUTH_PW set
39	$login_allowed=1;
40	} elseif (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val_force) {
41	// PHP_AUTH_PW is set, force login!
42	$force_login_allowed=1;
43	} else {
44	$login_allowed=0;
45	}
46
47	$force_login_allowed=0;
48
49	$htusers=fopen($htusers_file,"r");
50	while($user = fgetcsv($htusers,255,":")) {
51	if ( $user[2]=="auth_header" ) {
52	$tmp = explode("=",$user[0]);
53	if (stristr($tmp[0],"REMOTE_ADDR") && $tmp[1] == $GLOBALS[REMOTE_ADDR]) $login_allowed=1;
54	elseif (stristr($tmp[0],"REMOTE_hostname")) {
55	$remote_hostname=gethostbyaddr($GLOBALS[REMOTE_ADDR]);
56	// remove everything after first dot
57	$remote_hostname=substr($remote_hostname,0,strpos($remote_hostname,"."));
58	if ($tmp[1] == $remote_hostname) $login_allowed=1;
59	} elseif (stristr($tmp[0],"http_referer")) {
60	//error_log("$tmp[0]: $tmp[1] ?? $GLOBALS[HTTP_REFERER]",0);
61	if (isset($GLOBALS[HTTP_REFERER]) && stristr($GLOBALS[HTTP_REFERER],$tmp[1])) {
62	setcookie($cookie_name,$cookie_val_force,time()+3600);
63	$login_allowed=1;
64	//error_log("$tmp[0]: $tmp[1] == $GLOBALS[HTTP_REFERER]",0);
65	}
66	} elseif (stristr($tmp[0],"remote_user") && isset($GLOBALS[AUTH_TYPE]) && isset($GLOBALS[REMOTE_USER])) {
67	if ($GLOBALS[REMOTE_USER] == $tmp[1]) {
68	$force_login_allowed=1;
69	}
70
71	}
72	//error_log("$tmp[0]: $tmp[1] == $GLOBALS[REMOTE_USER] go!go!go! $login_allowed\|$force_login_allowed\|$PHP_AUTH_PW",0);
73	if (($login_allowed && !isset($GLOBALS[gblPasswd])) \|\| ($force_login_allowed && isset($GLOBALS[gblPasswd]))) {
74	$gblUserName=$user[1];
75	// make fake login credentials
76	$GLOBALS[gblPasswd]=$GLOBALS[gblLogin]=$user[0];
77	$secHash=md5($GLOBALS[gblLogin].$GLOBALS[gblPasswd]);
78	$gblEmail=$user[3];
79	break ;
80	}
81	}
82	}
83	fclose($htusers);
84
85	?>