Speaking of security it does not seem to make any difference whether I set my folder permissions to 777 or 755, I am still able to use ckfinder to add, edit and delete files on the remote server?
Also how do you test to see if the server is secure or not please?
I can post snippets of code from my "log on" and "restrict access" behaviours if this will help?
$LoginRS__query=sprintf("SELECT username, password FROM users WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $janesite) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = "";
//declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup;
// *** Restrict Access To Page: Grant or deny access to this page function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { // For security, start by assuming the visitor is NOT authorized. $isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username. // Therefore, we know that a user is NOT logged in if that Session variable is blank. if (!empty($UserName)) { // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. // Parse the strings into arrays. $arrUsers = Explode(",", $strUsers); $arrGroups = Explode(",", $strGroups); if (in_array($UserName, $arrUsers)) { $isValid = true; } // Or, you may restrict access to only certain users based on their username. if (in_array($UserGroup, $arrGroups)) { $isValid = true; } if (($strUsers == "") && true) { $isValid = true; } } return $isValid; }
Make sure you've uncommented session_start(); line in your CKFinder config file. Otherwise it does not start the session and does not see session variables.
function CheckAuthentication()
{
//WARNING : DO NOT simply return "true". By doing so, you are allowing
//"anyone" to upload and list the files in your server. You must implement
//some kind of session validation here. Even something very simple as...
// return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
//... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
//user logs in your system.
return !empty($_SESSION['MM_Username']);
}
Hi Wiktor. Thank you for the straightforward and detailed explanation for authenticating CKfinder with Dreamweaver's default user session for PHP.
Does anyone have a similarly "easy-to-follow" tutorial for the ASP version of CKfinder using the Dreamweaver default "logon user" and "restrict access to page" server behaviour session variables? I've been trying to get this to work for some time in ASP using the PHP example as a rough guide, but without any success.
Thanks in advance Craig (outsidedesign)
---------
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername = CStr(Request.Form("username"))
If MM_valUsername <> "" Then
Dim MM_fldUserAuthorization
Dim MM_redirectLoginSuccess
Dim MM_redirectLoginFailed
Dim MM_loginSQL
Dim MM_rsUser
Dim MM_rsUser_cmd
MM_fldUserAuthorization = ""
MM_redirectLoginSuccess = "admin_home.asp"
MM_redirectLoginFailed = "admin_login_again.asp"
MM_loginSQL = "SELECT admin_user, admin_pass"
If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
MM_loginSQL = MM_loginSQL & " FROM dbo.site_admin WHERE admin_user = ? AND admin_pass = ?"
Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
MM_rsUser_cmd.ActiveConnection = MM_cnPovertyMain_STRING
MM_rsUser_cmd.CommandText = MM_loginSQL
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("password")) ' adVarChar
MM_rsUser_cmd.Prepared = true
Set MM_rsUser = MM_rsUser_cmd.Execute
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
Else
Session("MM_UserAuthorization") = ""
End If
if CStr(Request.QueryString("accessdenied")) <> "" And false Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%>
Hi, First, sorry for my english, I'm French and not good in English.
I have donwload, yesterday the last version of CKeditor and CKfinder. I try to use them in my website, and I have a big bug with the config.php of ckfinder:
function CheckAuthentication()
{
//WARNING : DO NOT simply return "true". By doing so, you are allowing
//"anyone" to upload and list the files in your server. You must implement
//some kind of session validation here. Even something very simple as...
// return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
//... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
//user logs in your system.
return true;
}
Was not work, I fond this error:
Fatal error: Cannot redeclare CheckAuthentication() (previously declared in /mywebsite/ckfinder/config.php:34) in /mywebsite/ckfinder/config.php on line 35
I don't understand this, because, it's not the return, (I think) It's the function. So if you can help me, I really appreciate that.
Re: Server Security and the CheckAuthentication() function
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: Server Security and the CheckAuthentication() function
here are the code snippets
LOGIN
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "php/admin.php";
$MM_redirectLoginFailed = "php/error.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_janesite, $janesite);
$LoginRS__query=sprintf("SELECT username, password FROM users WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $janesite) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
RESTRICT ACCESS TO PAGE
<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "error.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
In the CKFinder config.php file Itried using return isset($_SESSION['IsValid']) && $_SESSION['IsValid']; but that did not seem to achieve anything?
Once again I really appreciate the help!
thanks,
Graham
Re: Server Security and the CheckAuthentication() function
Hope that helps.
Re: Server Security and the CheckAuthentication() function
function CheckAuthentication() { //WARNING : DO NOT simply return "true". By doing so, you are allowing //"anyone" to upload and list the files in your server. You must implement //some kind of session validation here. Even something very simple as... // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; //... where $_SESSION['IsAuthorized'] is set to "true" as soon as the //user logs in your system. return !empty($_SESSION['MM_Username']); }http://docs.fckeditor.net/CKFinder/Deve ... ss_Control
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: Server Security and the CheckAuthentication() function
Re: Server Security and the CheckAuthentication() function
Does anyone have a similarly "easy-to-follow" tutorial for the ASP version of CKfinder using the Dreamweaver default "logon user" and "restrict access to page" server behaviour session variables? I've been trying to get this to work for some time in ASP using the PHP example as a rough guide, but without any success.
Thanks in advance
Craig (outsidedesign)
---------
<% ' *** Validate request to log in to this site. MM_LoginAction = Request.ServerVariables("URL") If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString) MM_valUsername = CStr(Request.Form("username")) If MM_valUsername <> "" Then Dim MM_fldUserAuthorization Dim MM_redirectLoginSuccess Dim MM_redirectLoginFailed Dim MM_loginSQL Dim MM_rsUser Dim MM_rsUser_cmd MM_fldUserAuthorization = "" MM_redirectLoginSuccess = "admin_home.asp" MM_redirectLoginFailed = "admin_login_again.asp" MM_loginSQL = "SELECT admin_user, admin_pass" If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization MM_loginSQL = MM_loginSQL & " FROM dbo.site_admin WHERE admin_user = ? AND admin_pass = ?" Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command") MM_rsUser_cmd.ActiveConnection = MM_cnPovertyMain_STRING MM_rsUser_cmd.CommandText = MM_loginSQL MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("password")) ' adVarChar MM_rsUser_cmd.Prepared = true Set MM_rsUser = MM_rsUser_cmd.Execute If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then ' username and password match - this is a valid user Session("MM_Username") = MM_valUsername If (MM_fldUserAuthorization <> "") Then Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value) Else Session("MM_UserAuthorization") = "" End If if CStr(Request.QueryString("accessdenied")) <> "" And false Then MM_redirectLoginSuccess = Request.QueryString("accessdenied") End If MM_rsUser.Close Response.Redirect(MM_redirectLoginSuccess) End If MM_rsUser.Close Response.Redirect(MM_redirectLoginFailed) End If %>Re: Server Security and the CheckAuthentication() function
function CheckAuthentication() CheckAuthentication = not(IsEmpty( session("MM_Username") ) ) End functionRe: Server Security and the CheckAuthentication() function
cheers
Craig (outsidedesign)
Re: Server Security and the CheckAuthentication() function
I have donwload, yesterday the last version of CKeditor and CKfinder. I try to use them in my website, and I have a big bug with the config.php of ckfinder:
function CheckAuthentication() { //WARNING : DO NOT simply return "true". By doing so, you are allowing //"anyone" to upload and list the files in your server. You must implement //some kind of session validation here. Even something very simple as... // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; //... where $_SESSION['IsAuthorized'] is set to "true" as soon as the //user logs in your system. return true; }Was not work, I fond this error:
I don't understand this, because, it's not the return, (I think) It's the function. So if you can help me, I really appreciate that.
Re: Server Security and the CheckAuthentication() function
search for CheckAuthentication in config.php, it looks like you have accidentally created more than one
CheckAuthentication function.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+