mod_auth_mysql

Problems with the Windows version of XAMPP, questions, comments, and anything related.

mod_auth_mysql

Postby mldz » 11. December 2007 09:08

Hi,

I would like to make a authentication system using mysql instead of putting the users and passwords in .htaccess. Google told me that I could make use of mod_auth_mysql. But how can I activate it in xampp for windows? (I couldn't see in in de module section in <?php phpinfo() ?>)
And does anybody have an example of the .htaccess file?
best regards,

Matthijs
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Re: mod_auth_mysql

Postby Izzy » 11. December 2007 09:51

mldz wrote:...Google told me that I could make use of mod_auth_mysql. But how can I activate it in xampp for windows?

Open xampp\apache\conf\httpd.conf file in your text editor and find this line:
#LoadModule mysql_auth_module modules/mod_auth_mysql.so

Uncomment it so it looks like this:
LoadModule mysql_auth_module modules/mod_auth_mysql.so

Save the file and restart Apache to have your edits recognized.

Important - Always make a backup of conf and ini files before editing.

Then proceed with what Google told you.

BTW - For your .htaccess example, there is a .htaccess in xampp\htdocs\xampp directory if you set a password for your xampp directories.
It is coupled with a file in the xampp\security directory with a duplicate .htaccess in the xampp\security\htdocs directory - Also see the .htaccess link below.

The Apache doc links for some technical and official reading are here:
http://httpd.apache.org/docs/2.2/howto/auth.html
http://httpd.apache.org/docs/2.2/programs/htpasswd.html
http://httpd.apache.org/docs/2.2/howto/htaccess.html


===========================================
1. The new DeskTopXampp Launch Control for XAMPP / XAMPPlite
Posted by Ridgewood available from Ridgewood'sDTX web site

2. Build Rich AJAX Applications - Faster
TIBCO General Interface Pro Edition but FREE and Open Source
Fully working with NO donations required to get a user/password
===========================================
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Postby mldz » 11. December 2007 10:20

Hi,

thank you for your reply.

I've changed the http.conf file and restarted apache. the module is now loaded ;-)

Loaded Modules core mod_win32 mpm_winnt http_core mod_so mod_actions mod_alias mod_asis mod_auth_basic mod_authn_default mod_authn_file mod_authz_default mod_authz_groupfile mod_authz_host mod_authz_user mod_cgi mod_dav mod_dav_fs mod_dir mod_env mod_include mod_info mod_isapi util_ldap mod_log_config mod_mime mod_negotiation mod_setenvif mod_status mod_ssl mod_autoindex_color mod_auth_mysql mod_php5

I made a .htaccess file:

AuthName "Melding voor inloggen"
require group mysql_auth
Auth_MySQL_DB mydatabase
Auth_Mysql_Password_Table members
Auth_MySQL_Group_Table members
Auth_MySQL_Username_Field username
Auth_MySQL_Password_Field passwd
Auth_MySQL_Group_Field groups
Auth_MySQL_Empty_Passwords off
Auth_MySQL_Encryption_Types Plaintext
AuthBasicAuthoritative Off
Auth_MySQL on

but when I go the the driectory, I get an internal server error.
Do you have a clue why?
CU,

Matthijs
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Postby Izzy » 11. December 2007 10:27

but when I go the the driectory, I get an internal server error.
Do you have a clue why?

When ever you get a server error check the error log located here:
xampp\apache\logs\error.log

It should give you the details of what is wrong.


===========================================
1. The new DeskTopXampp Launch Control for XAMPP / XAMPPlite
Posted by Ridgewood available from Ridgewood'sDTX web site

2. Build Rich AJAX Applications - Faster
TIBCO General Interface Pro Edition but FREE and Open Source
Fully working with NO donations required to get a user/password
===========================================
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Postby mldz » 11. December 2007 10:34

thank.

this is the error:

[Tue Dec 11 10:18:05 2007] [alert] [client 127.0.0.1] D:/xampp/htdocs/traderspit/tests/members/.htaccess: Invalid command 'Auth_MySQL_DB', perhaps misspelled or defined by a module not included in the server configuration, referer: http://localhost/traderspit/tests/

But I don't see any problem there... :?

Matthijs
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Postby Izzy » 11. December 2007 11:38

Can you provide me with a link to the Google pages you are reading on this subject please, so I can check the details and try and reproduce your future problems perhaps?

I believe there may has been a change in the way you write these rules in a .htaccess file.

Try by removing all the underscores so they look like this:
Code: Select all
AuthName "Melding voor inloggen"
require group mysql_auth
AuthMySQLDB mydatabase
AuthMysqlPasswordTable members
AuthMySQLGroupTable members
AuthMySQLUsernameField username
AuthMySQLPasswordField passwd
AuthMySQLGroupField groups
AuthMySQLEmptyPasswords Off
AuthMySQLEncryptionTypes Plaintext
AuthBasicAuthoritative Off
AuthMySQL On


References:
http://modauthmysql.sourceforge.net/CONFIGURE
http://modauthmysql.sourceforge.net/CHANGES
http://modauthmysql.sourceforge.net/

BTW - Apache is very case sensitive and on can be different to On so keep your eye on this as it may also produce errors.

File.php is a different file to file.php in Apache but the same file in Windows.

Hope this helps.


===========================================
1. The new DeskTopXampp Launch Control for XAMPP / XAMPPlite
Posted by Ridgewood available from Ridgewood'sDTX web site

2. Build Rich AJAX Applications - Faster
TIBCO General Interface Pro Edition but FREE and Open Source
Fully working with NO donations required to get a user/password
===========================================
Last edited by Izzy on 11. December 2007 11:44, edited 1 time in total.
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Postby KallistaAEnvarou » 11. December 2007 11:40

What kind of authorization are you looking for? Popup logins like happen on http://reportingscience.com/cpanel or for standard authorizations like happen on http://reportingscience.com/login?
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Postby mldz » 11. December 2007 12:05

Hi Izzi,

your adjusted code for the .htaccess doesn't seem to help. I'll google some more. Thanks anyway!

Hi KallistaAEnvarou,

I'm looking for something like: http://reportingscience.com/login? but the login must secure a directory. Is that possible? (without cookies)
best regards,

Matthijs
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Postby mldz » 11. December 2007 18:14

it seems that i've got it working!!! :lol: thanks for the effort!
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Postby KallistaAEnvarou » 11. December 2007 23:46

Well, the one I have set up on my machine (I haven't doesn't use cookies. It uses the database to track who's online. I have it set up to show that the user is online when the IP and browsers match. Now, there are a few advantages and disadvantges to this versus cookies.

Cookie advantages
  1. Cookies allow for a login for a specific browser on a specific single machine.
  2. There is less strain on the database.

Cookie disadvantages
  1. Protecting against cookie-stealing requires lots of coding.
  2. Users can be logged in from multiple locations (potential security risk)
  3. Opera has an issue with keeping cookies past a certain time, or past closing the browser.

Database advantages
  1. There is NO possibility of cookie stealing, and, as such, no need to code against it.
  2. Users can be logged even after they close Opera
  3. There is an easier ability to locate those who have cracked the user's password since logging in from a different browser/browser version/IP requires the password (or reqiures the same IP to be switched to AND the same browser version to be used) to be known since JavaScript can't be used to change the user identity. As well, the user will know if someone has logged in elsewhere since the user will automatically be logged out.
  4. If the user clears all cookies, then the user is still logged in (which can be a disadvantage).
  5. The database keeps track of when to log the user out (I have the option for users to say how long they want to be logged in for versus relying on cookie exparation time.

Database disadvantages
  1. If two or more machines have the same IP, someone from the same IP could automatically log in from one of those machines (at least, onlly if there's no way to separate two different machines on the same IP).
  2. If the user has an IP that constantly changes, then the user would have to log in at each IP change.


Alternatively, you can use session variables versus cookies or databases, but there's always the possibility that the session can be hijacked and the information stolen. Plus, session variables requires that a user log in each time the user closes his or her browser.
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Postby mldz » 12. December 2007 10:54

Hi KallistaAEnvarou,

thanks for all the info!

I think I'll stay with mod_auth_mysql because ít's more manageable for me that way. And when a user logs in, I'll keep track of its IP etc. So that if a username is used on different IP's al get an email warning. Computers with one ip...bad luck. It's just a course where my clients need to pay for, it's not highly classified material.
CU,

Matthijs
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Postby Scory » 12. December 2007 11:24

KallistaAEnvarou wrote:Database disadvantages
  1. If two or more machines have the same IP, someone from the same IP could automatically log in from one of those machines (at least, onlly if there's no way to separate two different machines on the same IP).


And that's a clear *Knock* *Out*! In case of using proxies ALL users have same IP (the proxy's IP) and many of them use the same browser (as there are only a few different browsers). Most AOL Users are online via AOL Proxy, so this bad "algorithm" identifies all millions of AOL Users as one User.

Forget it!

User Identification without cookies (or a unique session id in the URL, but this is suitable only for short time sessions) does not work.

Regards
Scory
Scory
 

Postby mldz » 12. December 2007 11:29

hi scory,

you kind of have a point there :wink:
I will try and find a way to make it more save.

By the way. When you use the old .htaccess file with an password file on the server to secure a directory, does it give the save problems? (with proxies).
cu,

Matthijs
mldz
 
Posts: 12
Joined: 11. December 2007 09:01

Postby Izzy » 13. December 2007 06:10

Take a look at the free user authentication scripts available at hotscripts.com in various flavors of scripting language to suit just about every need imaginable.

For example these PHP scripts.

For example these JavaScript offerings.

This Google search may also be useful.

Why try and re-invent the wheel? ;)
I am sure there will be at least one script that will suitably fit your needs.



===========================================
1. The new DeskTopXampp Launch Control for XAMPP / XAMPPlite
Posted by Ridgewood available from Ridgewood'sDTX web site

2. Build Rich AJAX Applications - Faster
TIBCO General Interface Pro Edition but FREE and Open Source
Fully working with NO donations required to get a user/password
===========================================
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Postby KallistaAEnvarou » 14. December 2007 23:58

Scory wrote:
KallistaAEnvarou wrote:Database disadvantages
  1. If two or more machines have the same IP, someone from the same IP could automatically log in from one of those machines (at least, onlly if there's no way to separate two different machines on the same IP).


And that's a clear *Knock* *Out*! In case of using proxies ALL users have same IP (the proxy's IP) and many of them use the same browser (as there are only a few different browsers). Most AOL Users are online via AOL Proxy, so this bad "algorithm" identifies all millions of AOL Users as one User.

Forget it!

User Identification without cookies (or a unique session id in the URL, but this is suitable only for short time sessions) does not work.

Regards
Scory


That's why I haven't put it online yet. I'm trying to figure out a way around that, hopefully using session variables.

mldz wrote:Hi KallistaAEnvarou,

thanks for all the info!

I think I'll stay with mod_auth_mysql because ít's more manageable for me that way. And when a user logs in, I'll keep track of its IP etc. So that if a username is used on different IP's al get an email warning. Computers with one ip...bad luck. It's just a course where my clients need to pay for, it's not highly classified material.
CU,

Matthijs


Well, people with dial-up (yeah, they still do) have a different IP every time they sign online. As well, some people have the same issue with their broadband, though I don't. Anyway, the main problem I see with using .htaccess is that it will load each time a page is clicked. If you have a million users, or even in the thousands, your site will get increasingly slower.
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Next

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 73 guests