Sorry to be a pain but I am not a programmer and this stuff seems to be totally beyond my comprehension!! 
I am using a Linux server running PHP version 5.2.5 and MySQL version 5.0.51a-community with FCKeditor 2.6 and CKFinder 1.2.3
Obviously I want my site to be secure and therefore dont want to use "return true;" on my config.php page however I cannot figure out how to implement the CheckAuthentication function?
I have built my site with Dreamweaver 8 and used their default "log on user" and "restrict access to page" behaviours on my restricted access pages, but how do I tie this into the config.php file for ckfinder please?
Speaking of security it does not seem to make any difference whether I set my folder permissions to 777 or 755, I am still able to use ckfinder to add, edit and delete files on the remote server?
I can post snippets of code from my "log on" and "restrict access" behaviours if this will help?
Also how do you test to see if the server is secure or not please?
Again I apologise for what are probably very basic questions, and hope that someone will take pity and give me some much needed guidance! 
Thanks for any help that may be forthcoming,
Graham
Sun, 06/01/2008 - 03:14
#1
Re: Server Security and the CheckAuthentication() function
I don't have Dreamweaver 8 to check this, but if you post the code generated by Dreamweaver that is responsible for authentication it will be much easier to help you.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: Server Security and the CheckAuthentication() function
here are the code snippets
LOGIN
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "php/admin.php";
$MM_redirectLoginFailed = "php/error.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_janesite, $janesite);
$LoginRS__query=sprintf("SELECT username, password FROM users WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $janesite) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
RESTRICT ACCESS TO PAGE
<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "error.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
In the CKFinder config.php file Itried using return isset($_SESSION['IsValid']) && $_SESSION['IsValid']; but that did not seem to achieve anything?
Once again I really appreciate the help!
thanks,
Graham
Re: Server Security and the CheckAuthentication() function
Hope that helps.
Re: Server Security and the CheckAuthentication() function
Open config.php and do the following:
1. As Sensa suggested, first thing you have to do is to uncomment code that starts session, change:
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: Server Security and the CheckAuthentication() function
Thank you both Sensa and Wiktor
I have made the changes that you suggested and everything seems to be okay.
When I am logged in I am able to upload, delete etc via ckfinder, but am redirected to my error page if not logged in.
Thanks for your help, it is greatly appreciated!
Graham
Re: Server Security and the CheckAuthentication() function
Does anyone have a similarly "easy-to-follow" tutorial for the ASP version of CKfinder using the Dreamweaver default "logon user" and "restrict access to page" server behaviour session variables? I've been trying to get this to work for some time in ASP using the PHP example as a rough guide, but without any success.
Thanks in advance
Craig (outsidedesign)
---------
<% ' *** Validate request to log in to this site. MM_LoginAction = Request.ServerVariables("URL") If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString) MM_valUsername = CStr(Request.Form("username")) If MM_valUsername <> "" Then Dim MM_fldUserAuthorization Dim MM_redirectLoginSuccess Dim MM_redirectLoginFailed Dim MM_loginSQL Dim MM_rsUser Dim MM_rsUser_cmd MM_fldUserAuthorization = "" MM_redirectLoginSuccess = "admin_home.asp" MM_redirectLoginFailed = "admin_login_again.asp" MM_loginSQL = "SELECT admin_user, admin_pass" If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization MM_loginSQL = MM_loginSQL & " FROM dbo.site_admin WHERE admin_user = ? AND admin_pass = ?" Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command") MM_rsUser_cmd.ActiveConnection = MM_cnPovertyMain_STRING MM_rsUser_cmd.CommandText = MM_loginSQL MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("password")) ' adVarChar MM_rsUser_cmd.Prepared = true Set MM_rsUser = MM_rsUser_cmd.Execute If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then ' username and password match - this is a valid user Session("MM_Username") = MM_valUsername If (MM_fldUserAuthorization <> "") Then Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value) Else Session("MM_UserAuthorization") = "" End If if CStr(Request.QueryString("accessdenied")) <> "" And false Then MM_redirectLoginSuccess = Request.QueryString("accessdenied") End If MM_rsUser.Close Response.Redirect(MM_redirectLoginSuccess) End If MM_rsUser.Close Response.Redirect(MM_redirectLoginFailed) End If %>Re: Server Security and the CheckAuthentication() function
function CheckAuthentication() CheckAuthentication = not(IsEmpty( session("MM_Username") ) ) End functionRe: Server Security and the CheckAuthentication() function
cheers
Craig (outsidedesign)
Re: Server Security and the CheckAuthentication() function
I have donwload, yesterday the last version of CKeditor and CKfinder. I try to use them in my website, and I have a big bug with the config.php of ckfinder:
function CheckAuthentication() { //WARNING : DO NOT simply return "true". By doing so, you are allowing //"anyone" to upload and list the files in your server. You must implement //some kind of session validation here. Even something very simple as... // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; //... where $_SESSION['IsAuthorized'] is set to "true" as soon as the //user logs in your system. return true; }Was not work, I fond this error:
I don't understand this, because, it's not the return, (I think) It's the function. So if you can help me, I really appreciate that.
Re: Server Security and the CheckAuthentication() function
search for CheckAuthentication in config.php, it looks like you have accidentally created more than one
CheckAuthentication function.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+