Force HTTP_AUTH?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Force HTTP_AUTH?

Postby CaliberWebMedia » Fri Jan 20, 2012 10:01 am

I have this application which has three directories:

/ajax/
/ckeditor/
/upload/

Which all have security holes. I can .htaccess these folders no problem.

However, when a user logs into my application and tries to use any of these functions in said directories the application prompts for user/pass.

1. I know I can force the user/pass like so: <form action="http://user:pass@domain.com/cp/upload/php/index.php" method="POST">, but of course this exposes the username and password.

So, what I'm wondering: is it possible when my users log in to my application I can somehow log the users into the password protected directories too? Possibly using $_SERVER and $_SESSION vars? It just seems so much more "user friendly" to have them only log in once instead of prompting for a pw all the time.

Otherwise, I believe my application to be pretty secure.
CaliberWebMedia
Forum Newbie
 
Posts: 4
Joined: Fri Nov 18, 2011 12:01 am

Re: Force HTTP_AUTH?

Postby Mordred » Sat Jan 21, 2012 8:15 am

1. You should add authorization checks to your asynchronously accessed PHP code just like in any other PHP code you expose. There's no need to use a different authentication mechanism than the one you already use for your 'main' site anyway.
2. Depending on what your "security holes" in these directories are, this might not help entirely - you need protection against malicious authenticated users as much as you need protection against 'anonymous' ones
Things need not have happened to be true. Tales and dreams are the shadow-truths that will endure when mere facts are dust and ashes, and forgot.
Image
My security blog. (not updated lately)
The Unexpected SQL Injection (article) (.txt, cause the .html version is broken)
Password hashing howto (and how not to) (article)
Salt strengths (article)
User avatar
Mordred
DevNet Resident
 
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria


Return to PHP - Security

Who is online

Users browsing this forum: No registered users and 3 guests