Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Users able to browse intranet without login 1

Status
Not open for further replies.
kopja

kopja

Technical User
Jul 20, 2005
63
US
Hi all.

I have an apache web-server set up (on Windows server 2003) with PHP and mySql. Someone a few years ago developed a simple intranet site, which we access internally. The website is working fine, and it has login page, where it creates a session checked against the mySql database. Succesful logins get to see the pages of the intranet, unsuccesful logins get displayed a notice.

Recently it was decided to split the intranet into 2 departments, as they have some info that should not be shared.

I do not know much about php/mysql/apache, but I think I get the gist of how everything works.
So what I did, I simply copied ALL the files on the htdocs directory on a new htdocs2, created a new virtual host and added it to the httpd.conf (before it was only intranet.company.com, I added intranet.company2.com), and edited the login (.php file) on the intranet2 so that it only accepts people from company2. Then I went and edited the necessary files/logos etc so that company2 has its own information on it.

Both pages are working fine, I can login to each separately, and i can view the pages, and it displays an error message if failed login

However, on intranet.company2.com, I can also manually type in intranet.company2.com/"internalpagename.php" and it will let me in. If I try that on the intranet.company.com it will simply redirect me to the login page (if I have not logged in previously).

Can anyone point me to where I need to look?
All the php logins/classes etc are the same (except for the username check, basically a "where" clause), and I configured both pages the same on the httpd.conf file

<Directory "C:/Program Files/Apache Group/Apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.x
Allow from domain.com
</Directory>

<Directory "C:/Program Files/Apache Group/Apache2/htdocs2">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.x
Allow from domain.com
</Directory>

ServerRoot "C:/Program Files/Apache Group/Apache2"
<VirtualHost *:80>
ServerName intranet.company.com
DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
UseCanonicalName ON
</VirtualHost>

<VirtualHost *:80>
ServerName intranet.company2.com
DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs2"
UseCanonicalName ON
</VirtualHost>
 
Sort by date Sort by votes
Hi

I see two possible reasons :
[ul]
[li]Carelessly written PHP scripts.[/li]
[li]The PHP scripts were not intended to be used in this way.[/li]
[/ul]
In both cases there is nothing to do with the web server.

Unless you give more details about the PHP scripts and the used authentication, neither forum434 's members can help much.

Feherke.
 
Upvote 0 Downvote
Hi Feherke, I did not write the PHP scripts, so cannot disagree with you.

However, it seems to me that this may be a directory protection issue in Apache.

when typing intranet.company.com, users are directed to
intranet.company.com/login.php (same for both sites).
I believe this is caused by the "directoryindex login.php" directive in apache httpd.conf

When trying to go straight to intranet.company.com/somepage.php, the user is somehow re-directed to the login.php file, but that does not happen in the intranet2 page.

How does apache server know what to do when a user requests a specific php file? Where is that directive?

 
Upvote 0 Downvote
Hi

kopja said:
when typing intranet.company.com, users are directed to
intranet.company.com/login.php (same for both sites).
I believe this is caused by the "directoryindex login.php" directive in apache httpd.conf
Click to expand...
You mean, the URL in the browser's location bar is changing to [ignore][/ignore] ? If yes, it has nothing to do with the [tt]DirectoryIndex[/tt] directive.

Anyway, all that has nothing to do with the authentication.

And unless you are using HTTP authentication, the web server is not involved in the authentication, or the failure of the authentication.

Again : without details about the PHP scripts and the used authentication, we can not help.


Feherke.
 
Upvote 0 Downvote
No, the URL does not change (it still displays intranet.company.com), but the actual page displayed I know is the intranet.company.com/login.php)

Anyway, thanks to your first post I figured out the issue,

every page on the intranet had this code at the beginning
<? include("includes/session.inc2.php") ?>

When I looked at the session.inc2.php file for company2, somehow I had commented out the line where it does the user session check, so basically every session check returned true.

Thanks again, I was looking in the wrong direction.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
543
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
288
kasperelectronics
kasperelectronics
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
250
RedLinux
RedLinux
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
351
spamjim
spamjim
ComputersUnlimited
  • Locked
  • Question
Cannot login into Ubuntu via SSH 1
Replies
4
Views
487
ComputersUnlimited
ComputersUnlimited

Part and Inventory Search

Sponsor

Back
Top