At 18:04 27.11.2002, 1LT John W. Holmes spoke out and said:
--------------------[snip]--------------------
>I'm surprised that is actually working, since you never register $auth into
>the session.
--------------------[snip]--------------------
Nothing to do with session... Here PHP_AUTH is used, so once logged in the
browser always transmits the realm's auth info. The script is constantly
looking up the database. Some kind of overkill... and also a drawback in
using the HTTP/Auth method. You cannot keep the browser from transmitting
auth info for the same realm.
If PHP_AUTH is to be used I'd suggest using a dynamic realm to keep the
browser from auto-logging in, some kind of this:
if (!$_SESSION['authorized'] &&
isset( $PHP_AUTH_USER ) &&
isset($PHP_AUTH_PW)) {
// do the database lookup here, if successful:
$_SESSION['authorized'] = true;
}
}
// no "else" here!
if (!$_SESSION['authorized']) {
$realm = date('Y/M/d H:i:s');
header('WWW-Authenticate: ' .
'Basic realm="Pushpinder Singh\'s World ' .
"($realm)");
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
}
Do not destroy the session upon logout, just unset the auth variable:
unset($_SESSION['authorized']);
This will create a "unique" realm due to the use of date/time, so when the
user logs off he will be presented with a 401 response, even if the browser
has cached the login info from the previous login attempt. Another realm,
another game.
Disclaimer: untested, as usual.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
