[PHP] HTTP authentication logout
I am using HTTP authentication to restrict access to certain pages and I want to add a logout option so that users must reauthenticate before being able to veiw the pages again. Here is the code I'm using to authenticate: This page requires a user name and password to view."); endPage(); } ?> For the logout option I tried just setting $PHP_AUTH_USER="" and $PHP_AUTH_PW="" but that didn't work. Any ideas on how I can do this? --- : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 08-May-01 Mauricio Souza Lima wrote:
>
> Cool, you have found another way!
> So the realm make diference? A user loged in a realm isn't the same in
> other realm? Very cool...
Not quite, the realm is a string to present to the login dialog box
it has no effect on the credentials in this example.
But you could code such a thing.
> Explain better your solution to us.
>
'Kay
>
>>
>> logoff.php3:
>>
>> $fname="tmp/$PHP_AUTH_USER";
>> touch($fname);
create a lockfile tmp/loginname
>> Header("Location: http://www.mydomain.com/index.html";);
& send them to a non-protected page.
>>
>> secure.php3:
>>
>> function checklogin($user,$pass='',$realm='') {
>>
here $realm is some unused glue for orthagonal function() calls
>> $fname="tmp/$user";
>> if (file_exists($fname)) {
check if tmp/loginname exists
>> unlink($fname); // delete it
>> return(false);
>> }
if we got this far, they either
1. didn't hit logoff
2. they did and already got the 401-(Re)Authenticate
>> $query="select login from users
>> where login='$user' and password=PASSWORD('$pass')";
>> // echo $query .'';
>> $result = mysql_query( $query);
>> $row = mysql_fetch_object($result);
>> if ($row) {
>> return(true);
>> }
>> return(false);
>> }
>>
Basically it's a spin-lock file that is checked on login ... could just as
easily be done as a shared semaphore, DB entry, whatever.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Cool, you have found another way!
So the realm make diference? A user loged in a realm isn't the same in
other realm? Very cool...
Explain better your solution to us.
Regards,
Don Read wrote:
>
> On 07-May-01 Mauricio Souza Lima wrote:
>
> > And you have to inform the user to clean the password field, click ok,
> > then the pop-up will open again, then user click in cancel.
> >
> > I just know that way to do. If anyone know another way, Postit!
> >
>
> create a tmp directory
>
>
> logoff.php3:
>
> require('secure.php3');
> authuser("Logoff"); // validate user (possible Dos attack here)
>
> $fname="tmp/$PHP_AUTH_USER";
> touch($fname);
> Header("Location: http://www.mydomain.com/index.html";);
>
> -
>
> secure.php3:
>
> function checklogin($user,$pass='',$realm='') {
> if (! dbInit()) {
> echo "\n\n";
> die("Unable to contact database server");
> }
>
> $fname="tmp/$user";
> if (file_exists($fname)) {
> unlink($fname);
> return(false);
> }
> $query="select login from users
> where login='$user' and password=PASSWORD('$pass')";
> // echo $query .'';
> $result = mysql_query( $query);
> $row = mysql_fetch_object($result);
> if ($row) {
> return(true);
> }
> return(false);
> }
>
> function authheader($realm) {
> Header('WWW-authenticate: basic realm="'.$realm .'"');
> Header('HTTP/1.0 401 Unauthorized');
> echo "\n\n";
> }
>
> function authuser($realm='Access') {
> global $PHP_AUTH_USER, $PHP_AUTH_PW;
>
> if (! (isset($PHP_AUTH_USER)) ) {
> authheader($realm);
> exit;
> }
> if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) {
> authheader($realm);
> echo 'Failed Login';
> exit;
> }
> }
>
> Regards,
> --
> Don Read [EMAIL PROTECTED]
> -- It's always darkest before the dawn. So if you are going to
>steal the neighbor's newspaper, that's the time to do it.
--
Mauricio Souza Lima
Programador - Catho ONLINE
[EMAIL PROTECTED] www.catho.com.br
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 07-May-01 Mauricio Souza Lima wrote:
> And you have to inform the user to clean the password field, click ok,
> then the pop-up will open again, then user click in cancel.
>
> I just know that way to do. If anyone know another way, Postit!
>
create a tmp directory
logoff.php3:
require('secure.php3');
authuser("Logoff"); // validate user (possible Dos attack here)
$fname="tmp/$PHP_AUTH_USER";
touch($fname);
Header("Location: http://www.mydomain.com/index.html";);
-
secure.php3:
function checklogin($user,$pass='',$realm='') {
if (! dbInit()) {
echo "\n\n";
die("Unable to contact database server");
}
$fname="tmp/$user";
if (file_exists($fname)) {
unlink($fname);
return(false);
}
$query="select login from users
where login='$user' and password=PASSWORD('$pass')";
// echo $query .'';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
function authheader($realm) {
Header('WWW-authenticate: basic realm="'.$realm .'"');
Header('HTTP/1.0 401 Unauthorized');
echo "\n\n";
}
function authuser($realm='Access') {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
if (! (isset($PHP_AUTH_USER)) ) {
authheader($realm);
exit;
}
if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) {
authheader($realm);
echo 'Failed Login';
exit;
}
}
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I to have never been happy with the way PHP handles actual secure sessions. GameDesign was written to entirely use session based access. Both the main user site, and the admin backend use it, and it works quite well. - John Vanderbeck - Admin, GameDesign (http://gamedesign.incagold.com/) - GameDesign, the industry source for game design and development issues > -Original Message- > From: Robert Covell [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 9:14 AM > To: Martín Marqués; elias > Cc: [EMAIL PROTECTED] > Subject: RE: [PHP] HTTP authentication : logout!!! > > > I must support this fashion of "login" and "logout". I have > never been able > to find a way to clear the browser of the username and password. Once I > combined sessions with a date and timestamp in the realm, it worked like a > charm. > > Sincerely, > > Robert T. Covell > President / Owner > Rolet Internet Services, LLC > Web: www.rolet.com > Email: [EMAIL PROTECTED] > Phone: 816.210.7145 > Fax: 816.753.1952 > > -Original Message- > From: Martín Marqués [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 2:13 AM > To: elias > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] HTTP authentication : logout!!! > > > On Mar 08 May 2001 02:07, you wrote: > > Never tried it though...but can you try to empty or unset the > > $PHP_AUTH_USER/PWD ? > > This doesn't work, thats why I use a login html page and sessions. :-) > > Saludos... :-) > > -- > El mejor sistema operativo es aquel que te da de comer. > Cuida tu dieta. > - > Martin Marques |[EMAIL PROTECTED] > Programador, Administrador | Centro de Telematica >Universidad Nacional > del Litoral > - > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I must support this fashion of "login" and "logout". I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: > Never tried it though...but can you try to empty or unset the > $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On Mar 08 May 2001 02:07, you wrote: > Never tried it though...but can you try to empty or unset the > $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
$PHP_AUTH_USER = ""; $PHP_AUTH_PW = ""; Ought to do it. > From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 8:39 AM > To: [EMAIL PROTECTED] > Subject: [PHP] HTTP authentication : logout!!! > Now i woul like to create a logout link after clicking > on which, whenever you click on a page using auth, the > auth box should pop-up again and you must feed in your > user/pass. What should this logout page contain? what > coding do i have to do?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
It dont work, what you have to do is that:
In the logout.php:
--
Logout Sucessful
--
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
elias wrote:
>
> Never tried it though...but can you try to empty or unset the
> $PHP_AUTH_USER/PWD ?
>
> -elias
> http://www.eassoft.cjb.net
>
> ""Thomas Edison Jr."" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > i'm using http authentication for my php pages
> > (members area). Once you login correctly, than you can
> > access anypage as the authentication box doesn't
> > pop-up.
> >
> > Now i woul like to create a logout link after clicking
> > on which, whenever you click on a page using auth, the
> > auth box should pop-up again and you must feed in your
> > user/pass. What should this logout page contain? what
> > coding do i have to do?
> > From what i understand, there is a $auth which is
> > "False" by default. When auth is succesfull, it
> > contains "True". And once it's true, the auth box
> > doesn't pop-up. I understand that probably clicking on
> > this "logout" link should again make $auth false. But
> > then $auth is on a lot of pages, how does this $auth
> > on logout.php3 make all the other $auth's false?
> >
> > or is there some other way?
> >
> > the code i'm using for auth is :
> >
> > ***
> > > $auth = false; // Assume user is not authenticated
> > if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
> >
> > mysql_connect('localhost','root') or die (
> > 'Unable to connect to server.' );
> > mysql_select_db( 'skynet' ) or die ( 'Unable
> > to select database.' );
> >
> > // Formulate the query
> >
> > $sql = "SELECT * FROM register WHERE
> > username = '$PHP_AUTH_USER' AND
> > password = '$PHP_AUTH_PW'";
> >
> > // Execute the query and put results in $result
> >
> > $result = mysql_query( $sql ) or die ( 'Unable to
> > execute query.' );
> >
> > // Get number of rows in $result.
> > $num = mysql_numrows( $result );
> > if ( $num != 0 ) {
> >
> > // A matching row was found - the user is
> > authenticated.
> >
> > $auth = true;
> > }
> > }
> >
> > if ( ! $auth ) {
> >
> > header( 'WWW-Authenticate: Basic realm="Private"'
> > );
> > header( 'HTTP/1.0 401 Unauthorized' );
> > echo 'Authorization Required.';
> > exit;
> >
> > } else {
> >
> > %%stuff 2 do%%
> >
> > }
> > ?>
> > ***
> >
> > Regards,
> > T. Edison jr.
> >
> >
> >
> > =
> > Rahul S. Johari (Director)
> > **
> > Abraxas Technologies Inc.
> > Homepage : http://www.abraxastech.com
> > Email : [EMAIL PROTECTED]
> > Tel : 91-4546512/4522124
> > ***
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> >
--
Mauricio Souza Lima
Programador - Catho ONLINE
[EMAIL PROTECTED] www.catho.com.br
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Never tried it though...but can you try to empty or unset the
$PHP_AUTH_USER/PWD ?
-elias
http://www.eassoft.cjb.net
""Thomas Edison Jr."" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> i'm using http authentication for my php pages
> (members area). Once you login correctly, than you can
> access anypage as the authentication box doesn't
> pop-up.
>
> Now i woul like to create a logout link after clicking
> on which, whenever you click on a page using auth, the
> auth box should pop-up again and you must feed in your
> user/pass. What should this logout page contain? what
> coding do i have to do?
> From what i understand, there is a $auth which is
> "False" by default. When auth is succesfull, it
> contains "True". And once it's true, the auth box
> doesn't pop-up. I understand that probably clicking on
> this "logout" link should again make $auth false. But
> then $auth is on a lot of pages, how does this $auth
> on logout.php3 make all the other $auth's false?
>
> or is there some other way?
>
> the code i'm using for auth is :
>
> ***
> $auth = false; // Assume user is not authenticated
> if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
>
> mysql_connect('localhost','root') or die (
> 'Unable to connect to server.' );
> mysql_select_db( 'skynet' ) or die ( 'Unable
> to select database.' );
>
> // Formulate the query
>
> $sql = "SELECT * FROM register WHERE
> username = '$PHP_AUTH_USER' AND
> password = '$PHP_AUTH_PW'";
>
> // Execute the query and put results in $result
>
> $result = mysql_query( $sql ) or die ( 'Unable to
> execute query.' );
>
> // Get number of rows in $result.
> $num = mysql_numrows( $result );
> if ( $num != 0 ) {
>
> // A matching row was found - the user is
> authenticated.
>
> $auth = true;
> }
> }
>
> if ( ! $auth ) {
>
> header( 'WWW-Authenticate: Basic realm="Private"'
> );
> header( 'HTTP/1.0 401 Unauthorized' );
> echo 'Authorization Required.';
> exit;
>
> } else {
>
> %%stuff 2 do%%
>
> }
> ?>
> ***
>
> Regards,
> T. Edison jr.
>
>
>
> =
> Rahul S. Johari (Director)
> **
> Abraxas Technologies Inc.
> Homepage : http://www.abraxastech.com
> Email : [EMAIL PROTECTED]
> Tel : 91-4546512/4522124
> ***
>
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication : logout!!!
i'm using http authentication for my php pages (members area). Once you login correctly, than you can access anypage as the authentication box doesn't pop-up. Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? >From what i understand, there is a $auth which is "False" by default. When auth is succesfull, it contains "True". And once it's true, the auth box doesn't pop-up. I understand that probably clicking on this "logout" link should again make $auth false. But then $auth is on a lot of pages, how does this $auth on logout.php3 make all the other $auth's false? or is there some other way? the code i'm using for auth is : *** *** Regards, T. Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
