Hi! Is there any way to limit the number of retries when using HTTP
authentication in PHP?

--
TIA,
David

David Hennessy wrote:
> Hi! Is there any way to limit the number of retries when using HTTP
> authentication in PHP?
>

No.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On Sun, 14 Oct 2007 06:08:39 -0700, David Hennessy wrote...
>
>Hi! Is there any way to limit the number of retries when using HTTP
>authentication in PHP?
>

I've seen lots of sites more to web forms instead of the usual pop-up gray login
boxes that are normally used with HTTP authentication. IF you tried using that
method you can probably keep track of IP address information and setup
restrictions after so many retries.

Tom
--
Newsguy.com - Unlimited Accounts
Now with 32 concurrent connections

Tom wrote:
> On Sun, 14 Oct 2007 06:08:39 -0700, David Hennessy wrote...
>> Hi! Is there any way to limit the number of retries when using HTTP
>> authentication in PHP?
>>
>
> I've seen lots of sites more to web forms instead of the usual pop-up gray login
> boxes that are normally used with HTTP authentication. IF you tried using that
> method you can probably keep track of IP address information and setup
> restrictions after so many retries.


That makes sense. Do you think it would be safe to say that HTTP
authentication is insecure, since it permits infinite retries?

--
Namaste,
David

David Hennessy wrote:
> Tom wrote:
>> On Sun, 14 Oct 2007 06:08:39 -0700, David Hennessy wrote...
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> I've seen lots of sites more to web forms instead of the usual pop-up
>> gray login
>> boxes that are normally used with HTTP authentication. IF you tried
>> using that
>> method you can probably keep track of IP address information and setup
>> restrictions after so many retries.
>
>
> That makes sense. Do you think it would be safe to say that HTTP
> authentication is insecure, since it permits infinite retries?
>

Not really. If the userid and password are sufficiently long and
random, the amount of time it will take to break them can be measured in
centuries. And if someone tries a brute force attack, you will notice
it if you're watching your logs.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

David Hennessy wrote:
> Hi! Is there any way to limit the number of retries when using HTTP
> authentication in PHP?
>

Despite what everyone else says, this is possible with PHP (though not
with Apache's built-in HTTP authentication, AFAIK).

Read this:

http://us2.php.net/manual/en/features.http-auth.php

The idea is that when the user first tries to access the document, you
send an HTTP 401 header. At this point, you can also keep track of this
as an "attempt" in whatever fashion you like (local database of IP
addresses, for example). Now, each time the user types a new password
you'll check it, and if it's wrong you'll send another 401 header. Keep
track of how many times this happens, and if the number of attempts
exceeds your limit, send a 403 (forbidden) instead of a 401.

Jeremy

Jeremy wrote:
> David Hennessy wrote:
>> Hi! Is there any way to limit the number of retries when using HTTP
>> authentication in PHP?
>>
>
> Despite what everyone else says, this is possible with PHP (though not
> with Apache's built-in HTTP authentication, AFAIK).
>
> Read this:
>
> http://us2.php.net/manual/en/features.http-auth.php
>
> The idea is that when the user first tries to access the document, you
> send an HTTP 401 header. At this point, you can also keep track of this
> as an "attempt" in whatever fashion you like (local database of IP
> addresses, for example). Now, each time the user types a new password
> you'll check it, and if it's wrong you'll send another 401 header. Keep
> track of how many times this happens, and if the number of attempts
> exceeds your limit, send a 403 (forbidden) instead of a 401.


Hi Jeremy,

Do you have a reference or an example to demonstrate this? I've
extensively consulted the URL you referenced, and don't see anything to
suggest the functionality you're describing. From my own tests, it
appears that the authentication challenge pop-up does not return to the
PHP script until the user either enters a correct password or hits
"cancel" -- so there's no place to interrupt until the authentication
bit is done. Am I misunderstanding?

--
Namaste,
David

"David Hennessy" <david@maidix.com> wrote in message
news:k8qdnVeMRfB-oIvanZ2dnUVZ_sbinZ2d@comcast.com...
> Jeremy wrote:
>> David Hennessy wrote:
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> Despite what everyone else says, this is possible with PHP (though not
>> with Apache's built-in HTTP authentication, AFAIK).
>>
>> Read this:
>>
>> http://us2.php.net/manual/en/features.http-auth.php
>>
>> The idea is that when the user first tries to access the document, you
>> send an HTTP 401 header. At this point, you can also keep track of this
>> as an "attempt" in whatever fashion you like (local database of IP
>> addresses, for example). Now, each time the user types a new password
>> you'll check it, and if it's wrong you'll send another 401 header. Keep
>> track of how many times this happens, and if the number of attempts
>> exceeds your limit, send a 403 (forbidden) instead of a 401.
>
>
> Hi Jeremy,
>
> Do you have a reference or an example to demonstrate this? I've
> extensively consulted the URL you referenced, and don't see anything to
> suggest the functionality you're describing. From my own tests, it appears
> that the authentication challenge pop-up does not return to the PHP script
> until the user either enters a correct password or hits "cancel" -- so
> there's no place to interrupt until the authentication bit is done. Am I
> misunderstanding?

that's just not true. php is right in the middle of it all. yes, you are
misunderstanding.

have fun with this:


<?
$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}
$auth = $headers['Authorization'];
if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00"){ die('error header not
recognized'); }

if ($msg[8] == "\x01")
{
$challange = "NTLMSSP\x00\x02" . "\x00\x00\x00\x00" . // target name
len/alloc
"\x00\x00\x00\x00" . // target name
offset
"\x01\x02\x81\x01" . // flags
"\x00\x00\x00\x00\x00\x00\x00\x00" . // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00" . // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info
len/alloc/offset
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM ' . trim(base64_encode($challange)));
exit;
}
if ($msg[8] == "\x03")
{
function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start + 1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start + 5]) * 256) + ord($msg[$start + 4]);
$msg = substr($msg, $off, $len);
return $unicode ? str_replace("\0", '', $msg) : $msg;
}
$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);
echo '<pre>' . print_r($msg, true) . '</pre>';

print "You are $user from $domain/$workstation";
}
}
?>