PDA

View Full Version : Integrate VB security with Apache


Pilot
08-17-2001, 05:46 AM
It would sometimes be useful if rather the VB usernames/passwords could be stored in a form readable by the Apache .htaccess access control so that you could protect non-VB areas of your website so that only registered users could access them, using the same id/password.

So I guess this would mean issuing a htpasswd command when a user registered, or periodically doing this for users in the database. Some sites use http authentication for their large user communities - I don't quite know how they do it- can you get Apache to call external routines to authenticate users?

thewitt
08-17-2001, 11:30 AM
You have a few options that come to mind immediately.

1) Run a periodic script that extracts the usernames and passwords from the vB database and creates your password file for use by .htaccess. Simple, but not real time.

2) Modify (hack) vB to generate a new entry in your .htaccess password file whenever a new user is added to vB (password changed, etc). Will be seen as the user as real time - he gets a vB account on the system, he can use the other authenticated portions of the site.

3) Extend Apache with a new mod_auth_vB module that would read the vB database. It is open source, so you could modify one of the other authentication modules to simply read from vB's schema.

The problem with #3 is that the vB password is currently stored as plain text, so you are at risk on a shared server to opening up your entire website if you use the passwords stored there as your website passwords. Of course if you can modify Apache on your server you are not likely on a shared server anyway...

I guess this risk applies to #1 and #2 as well should anyone hack your vB password list :).

I'm not a proponent of plain text passwords anywhere as you might be able to tell.

It would not be difficult to do #1 or #2 (you'll probably want both to populate your password file initially anyway), and if passwords are ever stored secured by default in vB, #3 would be a great addition for folks with dedicated servers.

-t

Pilot
08-17-2001, 03:11 PM
Well they are all beyond my ability at the present time, but maybe someone here might have a go as a hack at #1 or #2.