It would be great if there were some hack to integrate vbulletin's user database with htaccess...

that would do the following things:
[list=1]
Vbulletin would seamlessly control htaccess as well as vbulletin user databases (for example.. u change password in vbulletin it also changes htaccess pass, or when u reg new user in vbulletin it would also create necessary htaccess user, etc..)
When users login with htaccess vbb automatically logs them in using the information that the user inputed for htaccess login
[/list=1]

I just came across this script written for phpNuke that checks to see if a user logs in with htaccess and if they login with htaccess it will automatically log them in to phpNuke. I thought that much of this could be reused to work with vbulletin. Its only a portion of what would be required for a full htaccess integration hack but its a start anyway.

Im am just starting to learn php and dont have the necessary time or knowledge to create this hack but Im sure alot of ppl would benefit from it, and would all be very appreciateive if someone would create one. :)

Here is the source:


<?PHP

/************************************************** **********************/
/* Automatic recognition and connection of a user who connects to a */
/* PHPNuke site with a htaccess file. */
/* ================================================== ================== */
/* */
/* Copyright (c) 2001 by Thomas Rudant (thomas.rudant@grunk.net) */
/* http://www.grunk.net */
/* http://www.securite-internet.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************** **********************/


if(!isset($mainfile)) { include("mainfile.php"); }

function docookie($setuid, $setuname, $setpass, $setstorynum, $setumode, $setuorder, $setthold, $setnoscore, $setublockon, $settheme, $setcommentmax) {
$info = base64_encode("$setuid:$setuname:$setpass:$setstorynum:$setumode: $setuorder:$setthold:$setnoscore:$setublockon:$set theme:$setcommentmax");
setcookie("user","$info",time()+15552000);

global $user;
$user=$info;

}

function login($uname, $pass) {
global $setinfo,$system;
dbconnect();
$result = mysql_query("select pass, uid, storynum, umode, uorder, thold, noscore, ublockon, theme, commentmax from users where uname='$uname'");
if(mysql_num_rows($result)==1) {
$setinfo = mysql_fetch_array($result);
$dbpass=$setinfo[pass];

if(!$system)
$pass=crypt($pass,substr($dbpass,0,2));

if (strcmp($dbpass,$pass)) {
Header("Location: user.php?stop=1");
return;
}

docookie($setinfo[uid], $uname, $pass, $setinfo[storynum], $setinfo[umode], $setinfo[uorder], $setinfo[thold], $setinfo[noscore], $setinfo[ublockon], $setinfo[theme], $setinfo[commentmax]);
}
}

if ($user)
{
global $cookie;

cookiedecode($user);
$username = $cookie[1];

if ($PHP_AUTH_USER!=$username)
{
setcookie("user");
login ($PHP_AUTH_USER,$PHP_AUTH_PW);
}
}
else
{
login ($PHP_AUTH_USER,$PHP_AUTH_PW);
}

?>

If you need to protect directory with the password and only allow registered users to access it and to compare their ID/password with the info from Vbulletin database this can be done with mod_auth_mysql for apache.

It just uses mySQL database for authentication, you can set it to use forum database and user table.

I have this module installed on one of me servers and it also works together with mod_cookies, so if you have your ID/Pass saved in cookies, it does not even prompt you for password.

where can I download the mod_auth_mysql ?

Go to http://modules.apache.org and search for it

There are couple of different mod_auth_mysql modules make sure you use the one that works with your version of Apache.

could someone actually write this hack for us ?

What I'd like to have is a separate control page within VB control panel, that would let you administer your HTACCESS accounts. Without having to telnet or edit those rediculious .htaccess/.htpassword/.htgroup files.
(Not sure if this is possible though..)

anyone has this hack?

thanks

my host doesnt support mod_auth_mysql, is there anyway around the hack?

please i need it badly :(

I have downloaded and compile with DSO
how to enable in apache conf httpd.conf ?

<a href="http://www.widexl.com/" target="_blank">http://www.widexl.com/</a>

go here and they have a cgi script called members admin. It will let you add, edit and remove members through cgi. So this modifies the ht access and other required files as it goes along. it's very very good.

no, i don't work for them.

Polo

Polo

we are trying to manage the htaccess thru vB CP, so when everyone registers the login and pass are added automatically to the .htaccess (.htpasswd)

using that script has nothing to do with that, although they have the new SQL version but it is very expensive, and making a hack code for vB is much better with a better features :)

besides widexl.com support really sucks.

I haven't messed with .htpasswd files in ages, but it should be pretty simple to add new people to the file on the fly. But if a user changes their password that might be a pain. Unless you dump out the whole userbase fresh on every change?

There is also something like mod_auth_dbm, for dbm files instead of text files. That could make it trivial to both add and update the .htpasswd dbm file on every new user and changed password.

Would something ugly like writing out a .htpasswd from scratch every time work all right? Can you see if you have mod_auth_dbm support? (I think it comes with apache and might be turned on by default.)

-Jonathan

Using .htpasswd, could be very ineffeciant, so the best plan for it would be to use $PHP_AUTH_USER and $PHP_AUTH_PASS to get the username and password, then drop these varibles into a routine to see if they are a registered member, then if they are, and the password is correct, set a cookie to their system so they would be logged in.......

This check would have to added to everypage or would have to alter the getpermissions function in someway to check this....

We actualy use this on our site to give members only access to hosted sites on our server.

From what I can gather it is pretty easy to install on the server and involves a mod to the httpd.conf file.

It gets passes directly from the SQL database and users can be removed from access by removing their accounts using the admin control panel.

We have been using it for a few weeks now and had no problems with it at all, users can even change pass as it does not write to a htaccess file it just accesses the database.

I will get my server admin Gaf to write a doc on it and post it up in the next few days.

I also know he has made it so we can give certain user groups access to certain sections of the site. Not a clue how but it works.

HM

Try this link (http://javascript.internet.com/navigation/htaccess-login.html) for another approach to this - most of work looks like its already done.

bump

has anybody figured this hack out yet?

I'm curious, what do you actually need it for? :)

-Jonathan

well i have a games and anime site, and have tons of media to download. But i only want members to be able to download, so i was wondering if i could use the members already registered in my vbb....

To HTACCESS protect pages for members only...

Install mod_auth_mysql on apache.

then for example in httpd.conf

<DIRECTORY /home/testdir>
AuthType Basic
AuthUserfile /dev/null
AuthName "Forum Member Access Only"
AuthType Basic
AuthGroupFile /dev/null
AuthMySQLHost localhost
AuthMySQLCryptedPasswords Off
AuthMySQLUser <user>
AuthMySQLPassword <pw>
AuthMySQLDB <forums dbase name>
AuthMySQLUserTable user
AuthMySQLNameField username
AuthMySQLPasswordField password
<Limit GET POST>
require valid-user
</limit>
</DIRECTORY>

just change user/pw to user/pw you use to access dbase and dbase name to whatever ya dbase is called and bobs ya uncle.

Or....

<DIRECTORY /home/testdir>
AuthType Basic
AuthUserfile /dev/null
AuthName "Member Access Only"
AuthType Basic
AuthGroupFile /dev/null
AuthMySQLHost localhost
AuthMySQLCryptedPasswords Off
AuthMySQLUser <user>
AuthMySQLPassword <pw>
AuthMySQLDB <forums dbase name>
AuthMySQLUserTable user
AuthMySQLNameField username
AuthMySQLPasswordField password
AuthMySQLGroupField usergroupid
<Limit GET POST>
require group 6 7
</limit>
</DIRECTORY>

The above example restricts to forum members who are 'admins & mods' a list of our group ids are..

# GROUP ID's
# 1 Unregistered / Not Logged In
# 2 Registered
# 3 Users Awaiting Email Confirmation
# 4 (COPPA) Users Awaiting Moderation
# 5 JNR Admin
# 6 Administrator
# 7 Moderators
# 8 Banned
# 9 Moderated
# 10 Gold Member
# 11 Platinum Member

You can see we have a few of ours added at the end, lol :)

Good luck :)

A simple method:


/* get user auth information into an array ie $userpass['username'] = pass */

if($userpass[$PHP_AUTH_USER] == $PHP_AUTH_PW)
{
continue;
}
else
{
//send headers to cause browser to request user and pass from user
header("WWW-authenticate: Basic realm=\"realm name\"");
header("HTTP/1.0 401 Unauthorized");

print("notice that the user isnt authorised");
}

heh i dont have access to editing apache modules for my server, but merk, i was actually look for a php method, do i just put that into a script, and it works, don i have to have any modules?

I see no need for this hack, but no, thats a simple bit

you would need to add more code.

Im really not going to bother because this hack is basically pointless

oh ok thanks anyway, anybody think they can finish this?

fragbait,

Could you please enter your vB license info into your use profile? See my sig for details. Thanks.

sorry, im makin this script for the vbb board of someone else, ill try to ask him for his lisence, wait that wouldnt be right, ill try to get him to come post it i guess, k lemme mail him now....