docman2/htusers/header.php

<?

/*
        Document manager handling for authentification of users
        based on:
        * refearer header from remote browser (it's really easy to forge this)
        * remote IP address
        * remote DNS hostname

        Written by Dobrica Pavlinusic <dpavlin@rot13.org>

        Usage example:

docman.conf:

$gblUsers = "htusers_header";
        
.htusers examples:

REMOTE_ADDR=10.0.0.3:Dobrica (client ip):auth_header:dpavlin@foo.bar
        will match exact IP adress
remote_hostname=hbreyer2:Dobrica (hostname):auth_header:dpavlin@foo.bar
        will match exact hostname
http_referer=test.foo.bar:Dobrica (by referer):auth_header:dpavlin@foo.bar
        will match user which comes from site test.foo.bar
remote_user=dpavlin:Dobrica (by server http auth):auth_header:dpavlin@foo.bar
        will match user "dpavlin" which is authetificated using .htaccess

*/

        $htusers_file=dirname($SCRIPT_FILENAME)."/.htusers";

        $cookie_name="docman_autologin";
        $cookie_val=md5($htusers_file.$GLOBALS[REMOTE_ADDR]);
        $cookie_val_force=md5($htusers_file.$GLOBALS[REMOTE_USER]);

        if (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val) {
                // no PHP_AUTH_PW set
                $login_allowed=1;
        } elseif (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val_force) {
                // PHP_AUTH_PW is set, force login!
                $force_login_allowed=1;
        } else {
                $login_allowed=0;
        }

        $force_login_allowed=0;

        $htusers=fopen($htusers_file,"r");
        while($user = fgetcsv($htusers,255,":")) {
                if ( $user[2]=="auth_header" ) {
                        $tmp = explode("=",$user[0]);
                        if (stristr($tmp[0],"REMOTE_ADDR") && $tmp[1] == $GLOBALS[REMOTE_ADDR]) $login_allowed=1;
                        elseif (stristr($tmp[0],"REMOTE_hostname")) {
                                $remote_hostname=gethostbyaddr($GLOBALS[REMOTE_ADDR]);
                                // remove everything after first dot
                                $remote_hostname=substr($remote_hostname,0,strpos($remote_hostname,"."));
                                if ($tmp[1] == $remote_hostname) $login_allowed=1;
                        } elseif (stristr($tmp[0],"http_referer")) {
                                //error_log("$tmp[0]: $tmp[1] ?? $GLOBALS[HTTP_REFERER]",0);
                                if (isset($GLOBALS[HTTP_REFERER]) && stristr($GLOBALS[HTTP_REFERER],$tmp[1])) {
                                        setcookie($cookie_name,$cookie_val_force,time()+3600);
                                        $login_allowed=1;
                                        //error_log("$tmp[0]: $tmp[1] == $GLOBALS[HTTP_REFERER]",0);
                                }
                        } elseif (stristr($tmp[0],"remote_user") && isset($GLOBALS[AUTH_TYPE]) && isset($GLOBALS[REMOTE_USER])) {
                                if ($GLOBALS[REMOTE_USER] == $tmp[1]) {
                                        $force_login_allowed=1;
                                }

                        }
                        //error_log("$tmp[0]: $tmp[1] == $GLOBALS[REMOTE_USER] go!go!go! $login_allowed|$force_login_allowed|$PHP_AUTH_PW",0);
                        if (($login_allowed && !isset($GLOBALS[gblPasswd])) || ($force_login_allowed && isset($GLOBALS[gblPasswd]))) {
                                $gblUserName=$user[1];
                                // make fake login credentials
                                $GLOBALS[gblPasswd]=$GLOBALS[gblLogin]=$user[0];
                                $secHash=md5($GLOBALS[gblLogin].$GLOBALS[gblPasswd]);
                                $gblEmail=$user[3];
                                break ;
                        }
                }
        }
        fclose($htusers);

?>
1	dpavlin	1.1	<?
2
3			/*
4			Document manager handling for authentification of users
5			based on:
6			* refearer header from remote browser (it's really easy to forge this)
7			* remote IP address
8			* remote DNS hostname
9
10			Written by Dobrica Pavlinusic <dpavlin@rot13.org>
11
12			Usage example:
13
14			docman.conf:
15
16			$gblUsers = "htusers_header";
17
18			.htusers examples:
19
20			REMOTE_ADDR=10.0.0.3:Dobrica (client ip):auth_header:dpavlin@foo.bar
21			will match exact IP adress
22			remote_hostname=hbreyer2:Dobrica (hostname):auth_header:dpavlin@foo.bar
23			will match exact hostname
24			http_referer=test.foo.bar:Dobrica (by referer):auth_header:dpavlin@foo.bar
25			will match user which comes from site test.foo.bar
26			remote_user=dpavlin:Dobrica (by server http auth):auth_header:dpavlin@foo.bar
27			will match user "dpavlin" which is authetificated using .htaccess
28
29			*/
30
31			$htusers_file=dirname($SCRIPT_FILENAME)."/.htusers";
32
33			$cookie_name="docman_autologin";
34			$cookie_val=md5($htusers_file.$GLOBALS[REMOTE_ADDR]);
35			$cookie_val_force=md5($htusers_file.$GLOBALS[REMOTE_USER]);
36
37			if (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val) {
38			// no PHP_AUTH_PW set
39			$login_allowed=1;
40			} elseif (isset($HTTP_COOKIE_VARS[$cookie_name]) && $HTTP_COOKIE_VARS[$cookie_name] == $cookie_val_force) {
41			// PHP_AUTH_PW is set, force login!
42			$force_login_allowed=1;
43			} else {
44			$login_allowed=0;
45			}
46
47			$force_login_allowed=0;
48
49			$htusers=fopen($htusers_file,"r");
50			while($user = fgetcsv($htusers,255,":")) {
51			if ( $user[2]=="auth_header" ) {
52			$tmp = explode("=",$user[0]);
53			if (stristr($tmp[0],"REMOTE_ADDR") && $tmp[1] == $GLOBALS[REMOTE_ADDR]) $login_allowed=1;
54			elseif (stristr($tmp[0],"REMOTE_hostname")) {
55			$remote_hostname=gethostbyaddr($GLOBALS[REMOTE_ADDR]);
56			// remove everything after first dot
57			$remote_hostname=substr($remote_hostname,0,strpos($remote_hostname,"."));
58			if ($tmp[1] == $remote_hostname) $login_allowed=1;
59			} elseif (stristr($tmp[0],"http_referer")) {
60			//error_log("$tmp[0]: $tmp[1] ?? $GLOBALS[HTTP_REFERER]",0);
61			if (isset($GLOBALS[HTTP_REFERER]) && stristr($GLOBALS[HTTP_REFERER],$tmp[1])) {
62			setcookie($cookie_name,$cookie_val_force,time()+3600);
63			$login_allowed=1;
64			//error_log("$tmp[0]: $tmp[1] == $GLOBALS[HTTP_REFERER]",0);
65			}
66			} elseif (stristr($tmp[0],"remote_user") && isset($GLOBALS[AUTH_TYPE]) && isset($GLOBALS[REMOTE_USER])) {
67			if ($GLOBALS[REMOTE_USER] == $tmp[1]) {
68			$force_login_allowed=1;
69			}
70
71			}
72			//error_log("$tmp[0]: $tmp[1] == $GLOBALS[REMOTE_USER] go!go!go! $login_allowed\|$force_login_allowed\|$PHP_AUTH_PW",0);
73			if (($login_allowed && !isset($GLOBALS[gblPasswd])) \|\| ($force_login_allowed && isset($GLOBALS[gblPasswd]))) {
74			$gblUserName=$user[1];
75			// make fake login credentials
76			$GLOBALS[gblPasswd]=$GLOBALS[gblLogin]=$user[0];
77			$secHash=md5($GLOBALS[gblLogin].$GLOBALS[gblPasswd]);
78			$gblEmail=$user[3];
79			break ;
80			}
81			}
82			}
83			fclose($htusers);
84
85			?>