phpSecurityAdmin

Last modified: 6/7/2002 8:41AM (GMT-6)

phpSecurityAdmin is a PHP application that was designed to be implemented in custom Content Management Systems (CMS). The ease of use allows the CMS programmer to concentrate on creating a quality application without having to waste a lot of time on the security access side of the system.

This application can be used for restricting access to web pages based on user names and passwords. The system will allow the client to:

Manage user accounts and access rights
Add, edit, or delete users
Change access and connection rights
Control basic system parameters such as user name and password lengths and where connections are allowed to be made from
Create and manage "user profiles" in order to allow an efficient method of creating multiple users with similar access rights

INSTALLATION

Download the phpMysqlConnection class definition file and place it in the include directory. You can get it from http://koivi.users.phpclasses.org/phpmysqlconnection
Uncompress the package into the directory where you want the package to be located on your server.
Create a database where you want all the information for users and profiles to be stored.
Populate the default settings for the package into the database. The file called "phpSecurityAdmin.default.sql" contains the sql queries you will need to do this.
Edit the include/_config.php file to fit your setup.

* It is best not to store the database connection details in the config file. To achieve a higher level of security, set up the SQL_* variables to be passed by the web server. [I use SetEnvIf Host domain\.com SQL_x=value inside the virtual host directives of apache.]

REQUIREMENTS

This system was developed using the apache 1.3.20 web server, mysql 3.23.40 database server, and PHP-4.1.1 compiled as a DSO module all running on a linux server. For best results, you should have at least the above setup. You will need to have session support, and trans-sid enabled as well.

At this point in development, I do not plan on supporting CGI versions of PHP, other web servers, or other platforms. This is just because I don't have the time nor the resources to do so. If you would like to contribute the development of this project, email me at justin@koivi.com

GETTING STARTED

To use the phpSecurityAdmin package, you will need to decide what pages you would like to restrict access to. At the top of each of these pages (which will need to parse PHP code), add the line:

<? require "/path/to/phpSecurityAdmin/_restrict.php"; ?>

Once you have the pages you want to restrict, you will need to add in the location of each page into the database. To do this, you will need to log in to the system by browsing to http://www.domain.com/path/to/phpSecurityAdmin/index.php with a web browser. The default password for the user "admin" is "secure" (you will want to change this before going live).

Once you are logged in, go to the "Site Structure" section and add in each of the pages you are restricting access to. The "Page Name" is something to identify each page to you, the admin. This can be any string that you want. The "Location" is the path that is requested to reach the page. For instance, if your page is accessed by http://www.domain.com/page.php, you would enter /page.php. If it was http://www.domain.com/folder/page.php, you would enter /folder/page.php.

You will now need to give access to these pages to users. The "admin" user does not have access to all restricted pages by default. To grant access to pages:

Go into the "Users" section and edit the user you wish to grant access to.
Click "Edit rights to pages."
Select the pages that this user should have access to and submit the form.

USERS

To create a user, simply go to the "Users" section and click "Create New User." Fill out the presented form, and click submit. By default, a user is active when created.

EDIT CONTACT DETAILS

You can change the contact details of a user at any time by editing that user and selecting "Edit contact details."

EDIT CONNECTIONS

You can change the user's login name, password, or where they are allowed to log into the system from by selecting "Edit connections" from the edit user page. The "Allowed Connections" field works the same way as the one in the "Configuration" section. This allows the admin not only to restrict where connections can be initiated for the system, but also further restrict where each user can connect from.

EDIT RIGHTS TO PAGES

As of version 2.0, all user rights are handled through the use of the system-defined profiles.

PROFILES

Think of profiles as being similar to groups. You can easily give groups of users the same (or similar) access rights by creating profiles. All you need to do is create a profile by giving it a name to identify it and selecting which pages to allow access to.

You can then apply these profiles to users either during creation or by editing their access rights. During editing, applying a profile is as simple as choosing the name from the drop-down list and submitting the form.

SITE STRUCTURE

This section is a list of all the pages that the system sees as being restricted. In order for these to work that way, you do have to add the line of code mentioned in the GETTING STARTED section to the top of the restricted page.

Adding pages to the database is also necessary to do in order to successfully restrict access to them. To do this, simply click on the "Add Page" link above the table listing all the existing pages. The GETTING STARTED section of this document gives you instructions about the form.

CONFIGURATION

The fields in this section are quite self-explanatory with the exception of "Allowed Connections." To only allow connections from certain computers, see the examples below:

To allow only from one address, enter the IP (only works with static IPs).

192.168.1.201

To allow from all machines with an address that starts with a sequence:

192.168.1.
or
192.168.

You can also use multiple entries by separating with a comma:

192.168.1.161, 192.168.2., 10.10.220.

The last example allows connections from only machine 161 from the 192.168.1.* network, and all computers of the 192.168.2.* and 10.10.220.* networks.

GETTING HELP

As of 2002-06-30, there is a bulletin board for phpSecurityAdmin located at http://www.koivi.com/php/. You can use this site to ask user/developers questions about your install, suggest features, or just find out what is in store for furutre releases of phpSecurityAdmin.

CHANGELOG

Version 2.3.2

Minor code fixes (stray short tags, extra comments, extra whitespace, etc.) in preparation of phpsecurityadmin-mb
Fixed register_globals = Off bug in _restrict.php
Changed loginForm method to also accept POSTed data and pass it along as hidden form fields.

Version 2.3.1

Fixed changePassword condition in editUser.
Added activateUser function.
Fixed typo in session variable name in Login() function.
Removed un-needed lines in user_edit_connections.php and class.phpSecurityAdmin.php
Updated fr.lang.php, phpSecurityAdmin.sql, TODO list.

Version 2.3

Added link to this document via the application's main page.
Corrected the Edit User Connections to display all fields if the logged in user is an admin.
Validated HTML and CSS through W3C (http://www.w3c.org/)
Replaced all FONT tags with CSS.
Default languages displayed are only the ones that are up-to-date with the release.
English, Dutch, Italian, Spanish, and Turkish language files verified as up-to-date.
SQL schema file updated to reflect changes in language defaults.

Version 2.2

Removed all short tags (<? ?>) and replaced them with <?php ?>
Miscellaneous changes to UI pages - including using single quotes for strings where possible.
Added copyright information to the files and included the LICENSE file.

Version 2.1

Added functionality to change the language online - don't need to edit _config.php
Updated code to use the new global vars for PHP 4.2.x ($_POST, $_GET, $_SESSION,etc.)
Added Russian and Turkish languages. The total for supported languages is now up to 11.

Version 2.0

users can now change their details and passwords
"gid" column added to the security_users table
"uid" column added to the security_users table
"psaun" session variable changed names to "psaun" so it is less obvious what the value actually is for (the user name)
"psag" session variable added. This is the GID of the user.
"psau" session variable added. This is the UID of the user.
deleted 'rights' column from secuirty_users table
updated some of the UI pages to reflect the change to "Groups" from "Profiles"
changed editUser function to reflect the change from profiles to groups
changed hasRights function to reflect the change from profiles to groups
changed addUser function to reflect the change from profiles to groups
added admin column to profiles table
added function changeProfile to security_class to change the group of a user
dropped admin column from the users table since that functionality is now handled with the profiles
changed isAdmin function to work with groups
changed get users to keep the admin flag, but pull from groups
IP check on sessions to help prevent session hijacking
added functions to use a mysql table to store session info instead of the server's file system (possibly adding security to sessions?)
fixed to work with register_globals = off
updated schema and class to use 'updated' column in security_users table.
CSS implemented to make it look just a little more attractive.
used the session handler definition file to change session.gc_probability to 100 for the _very_ paranoid.
Added support for the following languages: Brazilian Portuguese, Danish, French, Hebrew, and Italian.

NOTE: Even though the functionality changed for "Profiles", it is still called the same. Now when you edit a profile, all users that have that profile defined will have the changes applied to them. This makes it easy to grant/deny access to large groups of users. Individual users no longer have user rights applied to them. Instead, they inherit the rights of the group (or profile) that they are a member of.

Version 1.5

Updated database schema - default "No Access" profile is now GID 100000
Defaulted to only use up to date language files. (Please help keep the translations up-to-date wherever you can.)
got rid of frames and used tables instead.
re-organized into a class format rather than a group of functions.
Added support for additional languages to be used, added Spanish, Dutch, and German.

TODO List

Ability for User to request a new password for one that is lost/forgotten.
Update translations for the following laguages:
- de : German
- dk : Danish
- he : Hebrew
- pt-br : Brazilian Portuguese
- ru : Russian (koi8-r)
multiple groups support
Add functionality to set read, write, or no access to pages.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. (Found in the LICENSE file.)

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA