0

I have a Raspberry Pi device running apache. I have tried implementing the code for a small login page that has a in-house made session management supported by MySQL database.

Here is the index.php

<?php
include_once 'include/dbmember.php';
include_once 'include/dblogin_attempts.php';
include_once 'include/session.class.php';
include_once 'include/functions.php';


$session=new session();
$session->start_session("SMARTHOMESESSION",false); // TODO CHANGE WHEN SSL HITS

// No need to check login here
?>
<!DOCTYPE html>
<html>
<head>
    <title>Smart Home Login: Credentials first please</title>
    <!-- Need to import styles/main.css and find some css -->
    <!-- http://designscrazed.org/css-html-login-form-templates/ -->
    <link rel="stylesheet" href="styles/loginform.css" type="text/css" />
    <script type="text/javascript" src="js/sha512.js"></script>
    <script type="text/javascript" src="js/forms.js"></script>
</head>
<body>
<?php
if (isset($_GET['error']))
{
    echo '<p class="error">Error Logging In!</p>';
}

?>
<div class="login-block">
 <form action="include/process_login.php" method="post" name="login_form">
    Email: <input type="text" name="email" placeholder="Email" />
    Password: <input type="password" name="password" id="password" placeholder="Password" />
    <input type="button" value="Login" onclick="formhash(this.form,this.form.password);" />
 </form>
</div>

<?php  
if (check_login_status($mysql_member))
{
    $user=preg_replace("/[^0-9a-zA-Z_\-]+/", '', $_SESSION['username']);
    echo '<p>Currently logged in as '. htmlentities($user) . '</p>';
    echo '<p>Do you want to change user? <a href="include/logout.php">Log out</a>.</p>';
}
else
{
    echo "<p>Currently logged out.</br>Please login to Continue</p>";
}
?>
</body>
</html>

One big issue here is when i try to provide credentials i get

You don't have permission to access /include/process_login.php on this server.

My include directory has .htaccess file and in it 

Order Deny,Allow
Deny from All

And i cannot access the process_login.php (Which has no HTML content - its job is just to check the login and redirect if good credentials are provided)

On this link (Which is as close as i can get to a similar question) protect php includes (with htaccess?) It says:

So, in short: You can put an .htaccess with Deny from all in your PHP include directories. PHP's include directive does not go through Apache, so it won't care. Ideally, you don't even put your PHP include directories under your document root at all. You can not do this for JavaScript, as JavaScript access goes through Apache (just like .html, .png, etc. access).

I am doing that (setting an action to an include directory BUT that failed!) How do i solve that?

My configuration file for apache for the include directory

<Directory /var/www.website.com/include>
AllowOverride All
</Directory>

Also i have a protected_page.php with HTML embedded.

Also how come i can use that since i read somewhere that php on apache is passed to directly to the PHP engine and we get only the echo outputs But people seem to be using HTML inside php ? (Is that even true? In that case how does AddHandler directive figures out what needs to be shown)

Can someone explain to me where my logic is failing me on the subject of php file protection and engines on Apache and how come i'm producing a forbidden page where one is not expected.

Community
  • 1
  • 1
daniels_pa
  • 267
  • 4
  • 13
  • Your form action is `include/process_login.php`, and that means _the browser_ will send a request to that address when the form is submitted – but you have denied all HTTP access to anything inside that directory, so of course you get a 403 here. – CBroe Dec 03 '15 at 17:00
  • 1
    _“But people seem to be using HTML inside php ?”_ – and what about that surprises you – especially considering that you are doing exactly that yourself in your code you have shown already …? http://php.net/manual/en/language.basic-syntax.phpmode.php – CBroe Dec 03 '15 at 17:02
  • It surprises me because it was said that because of the AddHandler directive the client sees just the echo output , yet we have not outputted our HTML with echo command and it is still visible to us. So how can i fix it the 403 and yet make process_login not visible/accessible AND is that possible ? – daniels_pa Dec 03 '15 at 17:27
  • Thanks for the URL i upvoted you, it helped allot to understand. So basically we escape the PHP and the HTML part gets ignored by the PHP engine. Thanks! – daniels_pa Dec 03 '15 at 17:47

1 Answers1

0

If you are using apache v2.4, try changing this in all your *.conf files of Apache :

Instead of 

Order deny,allow
Deny from all

(Order allow,deny and Allow from all is deprecated since V2.4)

Put : 

 Require all denied

If you are not using V2.4 or higher of Apache, then it is a problem with your file/folders permission. Open a terminal, navigate to the folder just before your /include/process_login.php . (CD /yourwebPath/) .

Then, do a

sudo chmod 775 include -R 
sudo chown -R root:root include
SamyQc
  • 367
  • 2
  • 10
  • drwxr-xr-x 3 root root 4096 Dec 2 23:01 include I don't think thats the issue because just the w flag on the group is missing on the include directory. And this is the current ls -la – daniels_pa Dec 03 '15 at 16:27
  • Doesn't work - On RPi Apache is 2.2 and chmod doesn't fix the problem. I ordered Deny,Allow and not vice verca – daniels_pa Dec 03 '15 at 17:31