On 27 Aug 2013, at 17:28, Jim Giner <jim.gi...@albanyhandball.com> wrote:

> On 8/27/2013 11:56 AM, Stuart Dallas wrote:
>> Oops, sent this message from the wrong email address, so the list rejected 
>> it.
>> Begin forwarded message:
>>> From: Stuart Dallas <stu...@3ft9.com>
>>> Subject: Re: [PHP] Basic Auth
>>> Date: 27 August 2013 16:36:27 BST
>>> To: jim.gi...@albanyhandball.com
>>> Cc: php-general@lists.php.net
>>> On 27 Aug 2013, at 15:59, Jim Giner <jim.gi...@albanyhandball.com> wrote:
>>>> On 8/27/2013 10:55 AM, Stuart Dallas wrote:
>>>>> On 27 Aug 2013, at 15:51, Jim Giner <jim.gi...@albanyhandball.com> wrote:
>>>>>> On 8/27/2013 10:39 AM, Stuart Dallas wrote:
>>>>>>> On 27 Aug 2013, at 15:18, Jim Giner <jim.gi...@albanyhandball.com> 
>>>>>>> wrote:
>>>>>>>> On 8/27/2013 10:14 AM, Stuart Dallas wrote:
>>>>>>>>> It's not really confusing so long as you understand how PHP works. 
>>>>>>>>> Each request is brand new - nothing is retained from previous 
>>>>>>>>> requests. The two variable you're changing are set by PHP when the 
>>>>>>>>> request comes in from the browser. The fact you changed them in a 
>>>>>>>>> previous request is irrelevant because 1) that change was not 
>>>>>>>>> communicated to the browser in any way, and 2) PHP doesn't retain any 
>>>>>>>>> data between requests [1].
>>>>>>>>> If you've been coding assuming that changes you make to global 
>>>>>>>>> variables are retained between requests you must have been having 
>>>>>>>>> some pretty frustrating times!
>>>>>>>>> -Stuart
>>>>>>>> Not really - this is the first time I've had something not work as 
>>>>>>>> expected.
>>>>>>> That was said with my tongue very much firmly in my cheek, and so is 
>>>>>>> this:
>>>>>>>  I've been playing with dynamite since I was 4 - hey, it must be a 
>>>>>>> safe, proper thing to do!
>>>>>>> Just because nothing has blown up in your face yet doesn't mean it 
>>>>>>> won't, and I'm concerned that you might not actually see how important 
>>>>>>> it is to make sure you're using the tool correctly.
>>>>>>> -Stuart
>>>>>> This may very well be the first time with this problem because I haven't 
>>>>>> tried anything like this before.
>>>>>> That said - can you give me some pointers on how to do the JS solution?  
>>>>>> I'm calling a script that is similar to the one I used to signon.  It 
>>>>>> sends out something like:
>>>>>>       header("WWW-Authenticate: Basic realm=$realm");
>>>>>>       header('HTTP/1.0 401 Unauthorized');
>>>>>>       echo "<h3>You have entered invalid credentials<br>";
>>>>>>       echo "Click <a href='$return_url'> here </a> to return to the 
>>>>>> menu.";
>>>>>>       exit();
>>>>>> when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
>>>>>> So - to effect a signoff, what does one do?   You said to use an invalid 
>>>>>> value, but what do I do with that?  How do I ignore the 401?   Now I'm 
>>>>>> getting the signin dialog and I'm stuck.
>>>>> You don't need to do anything on the server-side. You simply need a JS 
>>>>> function that sends a request to a URL that requires basic auth, with an 
>>>>> Authenticate header that contains an invalid username and password. Then, 
>>>>> when your server responds with a 401 Authentication required (which it 
>>>>> should already do for an invalid request) you can set location.href to 
>>>>> whatever URL you want the logged out user to see.
>>>>> If you don't know how to make a request from Javascript -- commonly known 
>>>>> as an AJAX request -- then google for it. I'd recommend the jquery 
>>>>> library if you want a very easy way to do it.
>>>>> -Stuart
>>>> I am familiar with an ajax request (xmlhttprequest) and I have a function 
>>>> ready to call a script to effect this signoff.  I just don't know what to 
>>>> put in that php script I'm calling.  From what you just wrote I'm guessing 
>>>> that my headers as shown previously  may be close - I"m confused about 
>>>> your mention of "contains an invalid username...".  As you can see from my 
>>>> sample I don't include such a thing.
>>> From the Javascript, request any URL that requires authentication - it 
>>> doesn't matter. When you make the AJAX request, pass an Authentication 
>>> header that contains an invalid username and password. If you don't know 
>>> what I mean by that, please google how HTTP Basic Auth works.
>>> -Stuart
> It's not the basic auth that I'm having the issue with - it's the 'header' 
> thing and understanding what a 401 is doing and how I'm to ignore it.  Never 
> had to play with these things before and this part is all new.  Let's face it 
> - I'm an applications guy, not a systems guy. All this talk of headers and 
> such is greek to me.

HTTP headers are as important for application guys as they are for systems 
guys. I appreciate that this may be new to you, but it's pretty basic knowledge 
about how HTTP works.

Basic auth is simple, and you need to understand how it works to understand 
what I've been trying to say. Here's how HTTP auth works:

1) Browser hits page.
2) The PHP script knows this page requires HTTP Auth, checks the 
PHP_AUTH_[USER|PW] variables but doesn't find anything, so it responds with an 
HTTP status of 401 Unauthorised.
3) The browser gets the 401 response and displays the login box.
4) User enters username and password.
5) Browser sends the request again, but this time with an Authorization header 
containing the username and password. It also caches the username and password 
for use with future requests.
6) PHP populates the PHP_AUTH_[USER|PW] variables with the username and 
password in the Authorization header.
7) The PHP script checks those variables as per step 2, finds them, checks 
they're correct, and then shows the user the page with a 200 OK HTTP response 
(the default with PHP).
8) Every subsequent request the browser sends to that domain will now include 
the Authorization header, so the server will never respond with a 401 status 
again until the browser session ends (i.e. the browser is closed).

So, to log the user out you basically need to override what the browser has 
cached for the username and password. To do this you need to send a request 
with a new username and password (technically just a new username). You can do 
this with a request like http://bogususername:boguspassw...@www.example.com/ 
but the 401 response the server returns will cause the browser to display a 
login box, which is probably not what you want.

So, we do it with Javascript. Send a request using AJAX to any URL that 
requires authentication, setting our own Authorization header with an invalid 
username and password. PHP will see that the username and password are 
incorrect and will respond with a 401 status as per step 2 above, but step 3 
will not happen because AJAX requests don't reach the browser's default 
response handlers (i.e. 401 == display login box).

When our Javascript gets the response it simply redirects the user to a page 
telling them they've successfully logged out, or whatever you want them to see. 
The only reason this works is that the browser has now cached the bogus 
username and password you sent in the AJAX request, so if/when the user then 
hits another page that requires authentication they will get the login box 
because those cached details are not valid.

To send the Authorization header with XMLHttpRequest there are username and 
password parameters to the open method: 

Hopefully this makes more sense now.


Stuart Dallas
3ft9 Ltd
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to