Synology Inc. Online Community Forum

[OgeGOon]

Hi,

I am unsure about the section where I must post my question... it's related to security, but not to SSL, etc...

I have enabled the Web Station of my DS209+ and made some web pages (php) that I want now to secure.
I would like to use the native login administration of Synology. So I took a look at the Web Manager login and
found how to reused the "webman/modules/login.cgi" from my own login page.

I have now to put some code in all my other pages in order to check that the login has been done and, if it is not, to redirect to the login page.
Unfortunately, I don't find what I can check to detect if the login is done or not :/
It seems that there is not php pages but only cgi for the Synology web manager, so I don't find how Synology does this check.

Does anyone know the solution ? Or is there any (unofficial) documentation that I could read ?

Thanks a lot in advance for any tip.

O.

[kiwicam]

Unfortunately, I don’t have a solution. However, I would be very interested to read more detail (including the code) of what you have done.

[OgeGOon]

Here is a HTML login page that can be used on the Synology (DS2009+ at least): http://www.4shared.com/file/94374688/c3a3fa2c/index.html (it's a zipped file)

In this page, the port of the synology web admin interface is hardcoded (=5000)
It also redirects successful logins to a "MyWelcomePage.html"

In order to make this page more dynamic (ex.: regarding the port), you can easily use some php scripts.

This page uses the login of the File Station module. Use the 'guest' account, an existing custom account or the 'admin' account to test it.
You well see you get error message if guest is disabled or if you enter a wrong password.
So my understanding is that it works and that I should be able to reuse it to protect my own pages.

As soon as I have some free time, I will investigate the session variables, php variables, etc, etc... (I am not at all an expert in web and php)
I could possibly find in there a value that can be used as a flag (user authenticated or not) ?!

O.

[OgeGOon]

Notice: currently, the login page only works with IE due to the hostname passed in the url parameter of :

> ajax_req.open("POST", url, true);

The url is "http://MySynologyServer:5000/webman/modules/login.cgi".

Notice: The login page of the Synology does not need to use a hostname but only "/webman/modules/login.cgi"...

It does not run with FireFox and Chrome because the XMLHttpRequest object assume that a different port is a different domain and it prevents cross-domain post for security reasons.
This is the first time I prefer the Microsoft implementation )

O.

[OgeGOon]

Here is a login page that will run also within FireFox and Chome: http://www.4shared.com/file/94394477/6830917d/test.html (a zip file)

I am not posting onto the Synology login cgi from a php page, via a socket... No security issue anymore :p
Simply change the administration port in the login.php page accordingly to your own config.

I had a first look in the php session and didn't find anything concrete that I could use

However, because I know that I get {"result":"success"} from the cgi for a successful login, I can create and manage my own "flag" in the login.php page
It's a quite ugly solution, but it's ok for my purpose...

In the login.php page, I have set this (just before the last line) :

if (strlen(strstr($content,"success"))>0)
{
_setCredentials($login);
}

All the pages to be secured must start with:

<?php
require_once("security.php");
_checkCredentials();

where security.php contains:

<?php
session_start();

function _setCredentials($username) {
$_SESSION['username'] = $username;
}

function _checkCredentials() {
if ($_SESSION['username'] == null)
{
session_destroy();
header("location:/index.php");
exit;
}
}

function _clearCredentials() {
session_destroy();
header("location:/index.php");
}
?>

Obviously, the login.php page also starts with:

<?php
require_once("security.php");

I will check with some friends more capable in php than me if this is secure "enough"...

O.

[gastonet]

Hello guys, links are broken and I'm trying to mod the login page.

Can anyone help me? My email (if you want to send the code) is gastonet (at) gmail (dot) com

Many thanks in advance.

Gaston

[E-wawa.pl]

Code: Select all

<?php
   session_start();
   /*
   /* Using this
   /* Navigate to login.php?domain=yourservernameordomain&port=5000&user=yourlogin&pass=yourpassword
   */
   $username = $_GET['user'];
   $password = $_GET['pass'];
   $port = $_GET['port'];
   $domain = $_GET['domain'];
   $url = 'http://'.$domain.':'.$port.'/webman/login.cgi?username='.$username.'&passwd='.$password;
   $data =  @file_get_contents($url);
   if(preg_match('#\"success\" \: true#',$data)){
      $_SESSION['username'] = $username;
   }else{
      echo 'Wrong credentials';
      unset($_SESSION['username']);
   }
   
   if(isset($_SESSION['username'])){
      echo 'Welcome '.ucfirst($_SESSION['username']);
      echo exec('cat /etc/synouser.conf > temp.tmp');
      //echo file_get_contents('temp.tmp');
      preg_match('#'.$username.'\:[0-9]{1,5}\:.*\@.*#',file_get_contents('temp.tmp'),$match);
      $email = explode(":",$match[0]);
      echo '<br />Your email is '. $email[2];
      unlink('temp.tmp');
   }
?>

[TommyN]

This is really clever. I don't have any use for it yet, but I just had to try it
The "Your email is:" is empty when I try it though..

[partikule]

@E-wawa.pl : Nice, but doesn't work anymore in DSM 3.2