HTTP Authentication by User / pass / ip ranges

ok , this is the first hack i post around here so i hope im doing it ok
if not mods please fix me :P
ok, this hack is ment for closed comunity of vbulltien forums that want exstra security against unwelcome guests

this hack adds HTTP Authentication which change acording to username / password

to make the security bit higher i added ip ranges part - mean every users got ip range and if his ip is not wellcome then its not let him in
(can help abit against shared account).

ok so lets start

// run this db query

PHP Code:

ALTER TABLE user ADD ipmasks varchar(250) NOT NULL default ''; 


// open the file admincp/user.php

find :

PHP Code:

print_input_row($vbphrase['email'], 'user[email]', $user['email'], 0); 


below it add :

PHP Code:

print_input_row('ip masks', 'user[ipmasks]', $user['ipmasks'], 0); 


save the file and upload it back to your server

ok, now u got 2 options :
option1 - put it only in root dir
option2 - put itin root and on admincp/modcp dir

ok
if option 1 then
// open root/global.php

find :

PHP Code:

require_once('./includes/init.php'); 


Below it add :

PHP Code:

//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt = $userinf['salt'];
        $pass = $userinf['password'];
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 


save the file and upload it back to your server

now if u want option 2 then :

open includes/init.php

find :

PHP Code:

    $DB_site->connect($servername, $dbusername, $dbpassword, $usepconnect); 


Below it add :

PHP Code:

//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt = $userinf['salt'];
        $pass = $userinf['password'];
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 


thats all

*WARNING - IN ANY WAY DONT USE BOTH OPTIONS
its will cuse to the page ask for several time the user/pass
and its will be very buggy.

note :
if user got dynamic ips for exsample :

143.229.64.58
143.229.78.99
145.88.45.68

just add it like that
143.229 145.88
with 1 space between each ip range
dont user * as wildcard.

thats all :P
if u got some qustions or anything , then im here to suport u guys.

Sorry for my very bad english.

[Sir_Yaro]

Is it possible to apply this hack for some (specyfied by me) users ?
(only mods & admin for example)

[InnerSelf]

how can i make this hack possible but then without the ipcheck?

and if not, where can i put the valid ips in who can enter? do i have to put for every member the ip in? cant figure it really out.

[InnerSelf]

can someone explain if there is no other way to avoid the ip check how to handle this ip check? how do i control this? you have to put all the ip's in there of all members? i just cant understand this.

[Davez]

[QUOTE=InnerSelf]how can i make this hack possible but then without the ipcheck?QUOTE]

Yeah, I am looking for a working version without ip check!
Can someone help us please ?
Many thanks

[InnerSelf]

Quote:

Originally Posted by miz

yes
if u do remove it then its can work with out the ips
i can write this for u if u wish..

yes please

[TripLcixx]

Here's the version without IPmasks:

Open global.php and look for this line:

PHP Code:

require_once('./includes/init.php'); 


Below that line, add the following:

PHP Code:

function authenticate() {
    header("WWW-Authenticate: Basic realm=Please login with your user/pass");
    header("HTTP/1.0 401 Unauthorized");
    echo "Authentication failed...";
    exit;
}

if (!isset($_SERVER['PHP_AUTH_USER'])) { 
    authenticate();
} else { 
    if ($userauth=$DB_site->query_first("SELECT password,salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'")) {
        if (!(md5(md5($_SERVER['PHP_AUTH_PW']) . $userauth['salt']) == $userauth['password'])) { 
            authenticate();
        }
    } else {
        authenticate();
    }
} 


This will put a HTaccess popup box on all your regular forum pages. As for the admincp/modcp, it might be easier to just change the location of those to something else (can be edited in the /includes/config.php).

Make sure you don't have any extra .htaccess files with an additional htaccess/htpasswd, else it's gonna get messy

[Natch]

Can you confirm that the above post is all you need to add for this to work ? none of the extra code from the first post of this thread ?

[TripLcixx]

Yes I can confirm

The extra code in the first post was all needed for the IP field. (which is no default field in VBB and hence u have to alter the DB) Drop that requirement, and the whole snippet gets quite short.

[Natch]

Excellent - many thinks: I can see an excellent use for this.

[bloodcult]

nice hack, it's possible that the user logged in when they autenticate with this method?

what we have now is:
usernameassword when open the side (http auth) then login to forum again

it's possible:
usernameassword when open the side (http auth) then autologin into forum

u can use the autologin on forum, but it's not good if more then 1 users share the same workstation.

so, is it possible with autologin with http auth?