Validating Web-based logons with FTP

As part of a PHP web app I developed, I needed to authenticate the web client user with a remote system. Unfortunately, this system was a mainframe and setting up a web-enabled authentication product on it was somewhat timeconsuming and required a lot of administrivia. I wanted to avoid all that, so I had to come up with another way to authenticate web users remotely.

The one TCP/IP networked app our mainframe had available was FTP. Now, the FTP protocol implements security processes with the 'USER' and 'PASS'word commands, and our host security people had ensured that the host FTP server required these two functions. In our case, the 'USER' and 'PASS' functions on the server interfaced with the mainframe ACF2 security system to validate that the given userid and password combination were correct, and would not let an FTP connection in if they weren't.

I used this little tidbit of information to let me authenticate web users of my Linux box by forcing their web browsers to pop up the Authentication panel, and sending their entered userid and password information to the host in an FTP 'USER' and 'PASS'word command sequence. If the host's FTP rejected the sequence, then the user iwasn't authorized, but if the host's FTP accepted the sequence, then the user was valid to the host. In either case, I didn't actually transfer files over the FTP link; I simply closed it unused. I only needed it for the authentication.

Neat or what?

Here's an example PHP script that demonstrates the process. It needs an ftp server in order to work, and is (for demonstration purposes) set up to talk to the ftp server at localhost...


<?php

  /*
  ** LoginPrompt() sends headers and html with the intent of
  ** inducing the web-browser to display it's built-in userid/password
  ** prompt.
  ** It sends a WWW-Authenticate header to give the authentication specs,
  **          a HTTP 401 on the current page requested by the browser, and
  **          a dummy HTML page to be displayed if the user cancels the
  **            login prompt
  ** It then exits, causing php to terminate the current transaction
  ** without further output
  */
  function LoginPrompt($URL)
  {
    /* force the login popup to show up */
    Header("WWW-Authenticate: Basic realm=\"System Login\"");
    Header("HTTP/1.0 401 Unauthorized");

    /* if the user hits Cancel, send him to a place he cant hurt us from */
    echo "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=$URL\">";

    exit;
  }

  $userid = $_SERVER['PHP_AUTH_USER'];
  $passwd = $_SERVER['PHP_AUTH_PW'];

  $validuser = "no";

  if ($userid && $passwd)
  {

    /* connect to FTP server, see if it accepts the given userid & password */
    $conn = ftp_connect("localhost") or die("Cant connect");
    if (@ftp_login($conn,$userid,$passwd))  $validuser = "yes";
    ftp_close($conn);

    if ($validuser == "no") /* bad user - try the login again */
      LoginPrompt("http://www.php.net/manual/en/features.http-auth.php");
  }
  else /* first time into this page - force the 1st login prompt */
    LoginPrompt("http://www.php.net/manual/en/features.http-auth.php");

  phpinfo();

?>
Articles: