Hi all,

I have the following script that (in theory) would work:

<?

function authenticate() {
header("WWW-Authenticate: Basic realm=\"Member Area\"");
header("HTTP/1.0 401 Unauthorized");
print("You must enter a valid login username and password to access this
resource.\n");
exit;
}

if (!isset($PHP_AUTH_USER)) {
authenticate();
} else {
$c = mysql_pconnect("localhost","XXXXX","XXXXX");
mysql_select_db("httpauth",$c);
$q=sprintf("SELECT username, password FROM login_table
WHERE username='%s' AND password='%s'",
$PHP_AUTH_USER,$PHP_AUTH_PW);
$q=mysql_query($q);

if (mysql_num_rows($q) == 0 ) {
authenticate();
}

// Open or create the .htpasswd file - store the username and a fake
password

$handle = fopen ("/path/to/file/.htpasswd", "a+");

// .htpasswd format is: USERNAME:PASSWORD

$clean = rand(0,9999999999);

$fake_password = crypt($clean,substr($clean,0,2));

$string = "$PHP_AUTH_USER:$fake_password\n";

fwrite($handle, $string);

fclose($handle);

// print "You are logged in as: $PHP_AUTH_USER with password $PHP_AUTH_PW -
FAKE IS: $fake_password";

$url = "http://$PHP_AUTH_USER:$clean@server/member/index.php";;

header ("Content-Location: $url");

}

?>

So here is the basics: The user authenticates using http auth against a
MySQL database - if the username and password is corrent then a NEW entry is
created in a .htpasswd file - this file contains the username along with an
unknown password. Why? To prevent people from posting passwords... (we can
monitor the number of logins from the PHP script).

If I make a Location: username:password@server/ then it simply fails :(
However if I make a metatag with a refresh (GET) to the same url then it
works just fine.

Am I missing something? Or?

Your input and help is appreciated - please answer to this email as well :-)



Thanks in advance

Regards


--
Lasse Laursen <[EMAIL PROTECTED]> - Systems Developer
NetGroup A/S, St. Kongensgade 40H, DK-1264 København K, Denmark
Phone: +45 3370 1526 - Fax: +45 3313 0066 - Web: www.netgroup.dk

- Don't be fooled by cheap finnish imitations ; BSD is the One True Code



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to