At 18:04 27.11.2002, 1LT John W. Holmes spoke out and said:
>I'm surprised that is actually working, since you never register $auth into
>the session.

Nothing to do with session... Here PHP_AUTH is used, so once logged in the
browser always transmits the realm's auth info. The script is constantly
looking up the database. Some kind of overkill... and also a drawback in
using the HTTP/Auth method. You cannot keep the browser from transmitting
auth info for the same realm.

If PHP_AUTH is to be used I'd suggest using a dynamic realm to keep the
browser from auto-logging in, some kind of this:

    if (!$_SESSION['authorized'] && 
        isset( $PHP_AUTH_USER ) && 
        isset($PHP_AUTH_PW)) {
            // do the database lookup here, if successful:
            $_SESSION['authorized'] = true;
    // no "else" here!
    if (!$_SESSION['authorized']) {
        $realm = date('Y/M/d H:i:s');
        header('WWW-Authenticate: ' .
               'Basic realm="Pushpinder Singh\'s World ' .
        header( 'HTTP/1.0 401 Unauthorized' );
        echo 'Authorization Required.'; 

Do not destroy the session upon logout, just unset the auth variable:

This will create a "unique" realm due to the use of date/time, so when the
user logs off he will be presented with a 401 response, even if the browser
has cached the login info from the previous login attempt. Another realm,
another game.

Disclaimer: untested, as usual.

   >O Ernest E. Vogelsinger 
   (\) ICQ #13394035 

Reply via email to