> From: Varsha Agarwal [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 10, 2002 4:30 PM
>I thought it will ask some user name and
> password thing but it just displays me the string
> "text to send if user hits cancel".
> This is the code:
>
> <?php
> header("WWW-Authenticate: Basic realm=\"My Realm\"");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Get rid of the above statement
>
> if (!isset($_SERVER['PHP_AUTH_USER'])) {
> header("WWW-Authenticate: Basic realm=\"My
> Realm\"");
> header("HTTP/1.0 401 Unauthorized");
> echo "Text to send if user hits Cancel button\n";
> exit;
> } else {
> echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
> echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as
> your password.</p>";
> }
> ?>
<?php
header("WWW-Authenticate: Basic realm=\"My Realm\"");
header("HTTP/1.0 401 Unauthorized");
?>
The above two statements will cause the browser to pop up the login window and pass
any input (including none) back to the page. Any user input will be in the two
$_SERVER vars. Typically you'd validate this with a db or something, and allow access
if the user id and password validate. HTTP Auth in HTTP/1.0 isn't secure as the
credentials are sent clear text to the server on every GET request, so on a page with
images and such it's sent several times. Also, there's no way to sign out other then
closing all of the browser windows. It's better to design a session based solution,
with a login page, and set a session variable(s) indicating the authorized so the user
id/password are only sent once, and you can control session timeout to require
re-logging in after some interval of inactivity. You'd also have to consider session
hijacking, which is covered in the archives.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
