Re: PHP username information

The short answer is yes. This has to be possible. But you may have to make it happen and at the very least you need to provide us with more information. First ... what exactly is a PHP username? From what little i know about Postnuke, it has an authentication system but that is cookie based and not something you can get from the Unix environment.

Now then, about that more information that we need to help you solve your problem. You mention that these users have the ability to alter the database. How are they logged in? Do they even have to be logged in to access this CGI tool? If they don't, then that's your problem right there and you may be limited to only being able to store info like IP address -- which is not ideal at all. If your users DO have to log in ... then you should be able to parse their cookie and get their credentials. Hope this helps. :)

jeffa

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)

Comment on Re: PHP username information Select or Download Code

Replies are listed 'Best First'.
Re^2: PHP username information by Dranzaz (Sexton) on Dec 04, 2008 at 19:18 UTC
Thanks for your input, I have checked and it would appear that the authentication is truely cookie based. Too answer your other questions: You mention that these users have the ability to alter the database. Answer> It the cgi that interfaces with the database and tables and display's the information in a webform that the users can update and submit. They do not interface directly with the database, only through a webform. You mention that these users have the ability to alter the database. How are they logged in? Answer> Until now I thought they were logging into the PostNuke frontpage and following the links I provided. These links use the "PostWrap" module which basically places the target cgi into a frame within the current page, giving the impression it is part of the overall site design. Unfortunately I have just tested the some of the links and they are viewable without logging into the PostNuke interface. Not what I was expecting. Do they even have to be logged in to access this CGI tool? Answer> As stated above, no they do not. I was under the impression they did. If they don't, then that's your problem right there and you may be limited to only being able to store info like IP address. Answer>I am already capturing their IP address in a hidden feild on the web form using javascript. Luckily there are only a few (less than 20) individuals that currently use these tools and all are static IP's and easily tracked. There has been a request to expand its capabilities after the first of the year and there potentially will be more than 100 potential users. Tracking these users by IP will be more dificult as almost all of the new users will be NAT'd behind 2 or 3 Ip's. I'm going to research locking down a few of these directories with a secondary authentication. I do not like that these pages can be viewed without being logged into the PostNuke Interface.	[reply]

Replies are listed 'Best First'.

Re^2: PHP username information
by Dranzaz (Sexton) on Dec 04, 2008 at 19:18 UTC

You mention that these users have the ability to alter the database.
Answer> It the cgi that interfaces with the database and tables and display's the information in a webform that the users can update and submit. They do not interface directly with the database, only through a webform.

You mention that these users have the ability to alter the database. How are they logged in?
Answer> Until now I thought they were logging into the PostNuke frontpage and following the links I provided. These links use the "PostWrap" module which basically places the target cgi into a frame within the current page, giving the impression it is part of the overall site design.
Unfortunately I have just tested the some of the links and they are viewable without logging into the PostNuke interface. Not what I was expecting.

Do they even have to be logged in to access this CGI tool?
Answer> As stated above, no they do not. I was under the impression they did.

If they don't, then that's your problem right there and you may be limited to only being able to store info like IP address.
Answer>I am already capturing their IP address in a hidden feild on the web form using javascript. Luckily there are only a few (less than 20) individuals that currently use these tools and all are static IP's and easily tracked. There has been a request to expand its capabilities after the first of the year and there potentially will be more than 100 potential users. Tracking these users by IP will be more dificult as almost all of the new users will be NAT'd behind 2 or 3 Ip's.
I'm going to research locking down a few of these directories with a secondary authentication. I do not like that these pages can be viewed without being logged into the PostNuke Interface.

[reply]