[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
At 10:56 AM 3/5/01 -0600, John Henckel wrote: 1. open mytest.php and when the password prompt appears, I enter a userid/password. 2. I see the "Hello" page with my userid and password. 3. close IE and reopen mytest.php, again the prompt appears -- this is good. 4. close IE and Restart Windows. 5. open mytest.php and when the password prompt appears, I hit CANCEL. 6. the message "Sorry you are not authorized" appears 7. in the address box I type www.google.com and wait for it to appear 8. I press the BACK button and guess what I see? I see the "Hello" page with my userid and password from step 2 !! apparently the page is retrieved from the browser cache. This is exactly one of the things I was complaining about: It is NOT a browser cache issue - it still remembers your username and password, and will continue to send it with page requests. This happens when you hit "cancel" on the new password prompt. You'd think it would forget the username and password at this point, but it doesn't. You have to clear the password field and hit OK. Crazy, huh? - Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
At 02:39 PM 3/5/01 -0500, Chris Poirier wrote: There is a suggestion in the PHP online documentation that has worked for me (except in Opera 5, which seems to ignore the Realm). Add a timestamp to the Realm that changes with each new session. IE 5.0 will prompt for a different password, because it sees it as a different login. This is, in fact, what my system attempts to do. The catch is that I CAN'T change the realm with a new session...because I don't GET a new session, because IE 5.5 is not starting a new session when it should! Indeed, when I change the realm, I get the prompt. But I can't tell when the user closed his browser and started a new one, because IE 5.5 (on the machines I'm testing on) is still keeping the old session, acting like the browser never closed. Again, my system works perfectly on the other browsers I've tried. It changes the realm when appropriate. It sets a flag in the database when the user hits logout. And it works the way it should. Just in IE 5.5 (on the machines I'm testing on) do I get this horrible behavior. - Ken Later, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
On 04-Mar-01 Ken wrote:
Thanks for the idea, John.
I know about the auth logout. Unfortunately, that means that when a user
clicks "logout", he gets a "log in" prompt! And, in IE, he has to
deliberately blank out the password field, THEN hit enter, THEN the prompt
will come again, and he has to hit escape.
snip
Any suggestions?
I'm still playing with this but ...
My script handles the authentication against a MySQL table;
and this might (probably) have to get tweaked to play well with .htaccess
The logout script creates a "mark" (tmpfile, db entry, whatever)
then redirects to a non-protected page.
On entry to a protected script:
function authuser($realm) {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
if (isset($PHP_AUTH_USER)) {
if (markset($PHP_AUTH_USER)) {
markunset($PHP_AUTH_USER);
// send a 401 to force re-authenticate
Header('WWW-authenticate: basic realm="'.$realm .'"');
Header('HTTP/1.0 401 Unauthorized');
echo "\n\n";
echo 'META HTTP-EQUIV="Refresh" CONTENT="1; URL='.SITEHOME.'/"';
exit;
}
if (! (validlogin($PHP_AUTH_USER,$PHP_AUTH_PW, $realm))) {
Header('WWW-authenticate: basic realm="'.$realm .'"');
Header('HTTP/1.0 401 Unauthorized');
echo 'META HTTP-EQUIV="Refresh" CONTENT="1; URL='.SITEHOME.'/"';
echo 'CENTERFailed LoginPInvalid name or password';
exit;
}
}
return(true);
}
Regards,
--
Don Read [EMAIL PROTECTED]
-- If you are going to sin, sin against God, not the bureaucracy.
God will forgive you but the bureaucrats won't.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
At 03:11 PM 3/4/01 -0600, Don Read wrote: On 04-Mar-01 Ken wrote: I know about the auth logout. Unfortunately, that means that when a user clicks "logout", he gets a "log in" prompt! And, in IE, he has to deliberately blank out the password field, THEN hit enter, THEN the prompt will come again, and he has to hit escape. I'm still playing with this but ... My script handles the authentication against a MySQL table; and this might (probably) have to get tweaked to play well with .htaccess The logout script creates a "mark" (tmpfile, db entry, whatever) then redirects to a non-protected page. My script does something very similar, but it's more advanced than that, because it handles these various scenarios: - Someone clicks "logout", then closes browser, then starts new browser and logs in as same of different user - Someone clicks "logout", then tries to log in again as same or different user - Someone just closes browser, without clicking "logout" This would all work perfectly if it weren't for IE5.5 completely refusing to behave like it has closed when it has closed. So I have to require IE5.5 users to click logout, which is really no good. Your script suffers the same problem: An IE5.5 user in the 3rd scenario would just get logged right back on without being prompted. - Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
At 03:18 PM 3/4/01 -0800, Michael A. Peters wrote: ... Generally, I don't think a login prompt when a user clicks logout is such bad thing. It lets the user know they are logged out, and the software is waiting for another login. If they choose to go elsewhere, that's fine. Why it's bad is that, if the user clicks "cancel", they are not logged out. They have to manually clear the field, THEN OK, then they get prompted AGAIN, THEN they hit cancel. That's nuts, and my users aren't going to understand that. I personally in your situation would use php to determine the browser. If its IE 5.5 state "Due to a bug in IE 5.5 that browser is not supported for use with this page." You could give them the choice to continue anyway, or possibly do session authentication only with IE 5.5 if you really wanted to go out of your way to cover up for Microsofts bug. Don't lessen security because of a browser bug, though- instead, refuse to support the browser. ... Well, I guess nothing is going to solve my problem of making people hit "logout" instead of just closing the browsers, if they're using IE5.5, since both the user/password are still remembered by the browser, and the session is kept active. I would love to not support IE5.5, but my client uses this version primarily. I will ask them to downgrade...but I wouldn't be surprised if IE doesn't let you install an older version! Anyway, can someone please test to see if this doesn't happen in IE5.0? I really hate this situation, yessir. - Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
From: "Ken" [EMAIL PROTECTED] Why it's bad is that, if the user clicks "cancel", they are not logged out. They have to manually clear the field, THEN OK, then they get prompted AGAIN, THEN they hit cancel. That's nuts, and my users aren't going to understand that. Why do they need to be able to log out? If the user doesn't want their password saved (e.g. they're on a public PC) then they just uncheck the "Save password" box when logging in, and then they can close the browser and be "logged out". If they want their password saved then they can check the "Save password" box and not worry. It sounds to me like you're trying to implement something that no users are actually going to need or want... However, if you want more control over the authentication process I suggest making your own login form and using cookies, instead of HTTP authentication. Then you can log users out just by unsetting the cookie(s). Cheers Simon Garner -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
At 04:11 PM 3/5/01 +1300, Simon Garner wrote: From: "Ken" [EMAIL PROTECTED] Why it's bad is that, if the user clicks "cancel", they are not logged out. They have to manually clear the field, THEN OK, then they get prompted AGAIN, THEN they hit cancel. That's nuts, and my users aren't going to understand that. Why do they need to be able to log out? Because they are on a shared computer. If the user doesn't want their password saved (e.g. they're on a public PC) then they just uncheck the "Save password" box when logging in, and then they can close the browser and be "logged out". If they want their password saved then they can check the "Save password" box and not worry. Nope - with IE5.5, even with that box NOT checked, the user remains logged in until either a) the computer is restarted, or b) a new user-authentication header is sent, AND the user clears out the password field and hits OK. Otherwise the user stays logged in, in spite of the HTTP spec. It sounds to me like you're trying to implement something that no users are actually going to need or want... Nope, I'm working with a real client, who has multiple users on the same machine, and IE5.5 is installed on it, and, lo and behold, though the rest of the browsers work fine, IE5.5 has this awful bug. However, if you want more control over the authentication process I suggest making your own login form and using cookies, instead of HTTP authentication. Then you can log users out just by unsetting the cookie(s). This is how I will wind up going, EXCEPT the users will be required to click "logout", since merely closing the browser, in IE5.5, does not seem to clear the user/password from the browser's memory, NOR does it clear any session cookie. Again, works fine in other browsers, per spec. Thanks, Ken Cheers Simon Garner -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
From: "Ken" [EMAIL PROTECTED] Nope - with IE5.5, even with that box NOT checked, the user remains logged in until either a) the computer is restarted, or b) a new user-authentication header is sent, AND the user clears out the password field and hits OK. Otherwise the user stays logged in, in spite of the HTTP spec. Admittedly I'm running IE5.01, but if I close and reopen the browser it will pop up the authentication dialogue again (with values filled out, if I did Save Password). Does this really not happen in 5.5? This is how I will wind up going, EXCEPT the users will be required to click "logout", since merely closing the browser, in IE5.5, does not seem to clear the user/password from the browser's memory, NOR does it clear any session cookie. Again, works fine in other browsers, per spec. You mean it doesn't clear per-session cookies (expiry=0) either? Cripes... What Windows version is this under? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
Nope, I'm working with a real client, who has multiple users on the same machine, and IE5.5 is installed on it, and, lo and behold, though the rest of the browsers work fine, IE5.5 has this awful bug. I don't have this session-terminating problem with IE 5.5 when using Apache and PHP locally on my Win95 computer. I'm also pretty sure it works fine when connected to a Linux/Apache/PHP server where I have some webspace. Question: Do you have the latest bunch of fixes and security updates for IE 5.5? I remember after I first installed 5.5 a couple of months ago, there were many megabytes of fixes, patches, security updates, etc. (There are probably many more since then.) Perhaps there's already a fix for the bug. Assuming you have an internet connection from each PC, go into IE 5.5, then select Tools-Windows Update. The MS website should auto-detect the fixes etc that you need and prompt you to install them. Mitch -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
However, if you want more control over the authentication process I suggest
making your own login form and using cookies, instead of HTTP
authentication. Then you can log users out just by unsetting the cookie(s).
This is how I will wind up going, EXCEPT the users will be required to
click "logout", since merely closing the browser, in IE5.5, does not seem
to clear the user/password from the browser's memory, NOR does it clear
any session cookie. Again, works fine in other browsers, per spec.
I tried to read up on this thread before responding, so please excuse me if
I don't know all the facts. Have you tried using PHP's sessions to track
user logins? If cookies are available, it takes advantage of them. If
not, a session tracking variable is automatically appended to the url.
For my own web site, I register a session variable. For my situation, it
happens to be an array, but you may not need this.
if (! IsSet($user) ) {
$user = array();
session_register("user");
$user["Username"] = "Guest";
}
From there, present the visitor with a login form. Process the login form
and set the $user["Username"] variable after you've confirmed their
login. If you want them to log out, they click a link taking them to a
page that sets the variable back to $user["Username"] = "Guest". Best of
all, if they close their browser, the browser session is lost.
That setup allows people to work at a computer, logout of the web site, and
allow someone else to login. Or, they can just close the browser window
and let someone else sit down to open a new browser window and login.
There's one thing you'll want to keep in mind, in case you don't already
know it. Each browser window you spawn from the original uses the same
session. If you login and then press CTRL-N to open additional windows,
they will all use the same session. Of course, the way around this is to
just run separate copies of the program to gain additional windows.
Another thing of note, in case it will help, I'm using IE5.5 and don't
experience the problems you've described.
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
From: "Ken" [EMAIL PROTECTED] What Windows version is this under? Windows 98 and Mac OS 8 or 9. - Ken Is IE set to "Launch browser windows in a separate process" (if that option still exists in 5.5)? Have a look in Tools Options Advanced. Perhaps if that is not checked, closing the window does not count as exiting the browser? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
On 05-Mar-01 Ken wrote: At 04:11 PM 3/5/01 +1300, Simon Garner wrote: From: "Ken" [EMAIL PROTECTED] Why it's bad is that, if the user clicks "cancel", they are not logged out. They have to manually clear the field, THEN OK, then they get prompted AGAIN, THEN they hit cancel. That's nuts, and my users aren't going to understand that. Why do they need to be able to log out? Because they are on a shared computer. If the user doesn't want their password saved (e.g. they're on a public PC) then they just uncheck the "Save password" box when logging in, and then they can close the browser and be "logged out". If they want their password saved then they can check the "Save password" box and not worry. Nope - with IE5.5, even with that box NOT checked, the user remains logged in until either a) the computer is restarted, or b) a new user-authentication header is sent, AND the user clears out the password field and hits OK. Otherwise the user stays logged in, in spite of the HTTP spec. It sounds to me like you're trying to implement something that no users are actually going to need or want... Nope, I'm working with a real client, who has multiple users on the same machine, and IE5.5 is installed on it, and, lo and behold, though the rest of the browsers work fine, IE5.5 has this awful bug. However, if you want more control over the authentication process I suggest making your own login form and using cookies, instead of HTTP authentication. Then you can log users out just by unsetting the cookie(s). This is how I will wind up going, EXCEPT the users will be required to click "logout", since merely closing the browser, in IE5.5, does not seem to clear the user/password from the browser's memory, NOR does it clear any session cookie. Again, works fine in other browsers, per spec. Is this a NT-Domain network ? It's been a few years since i was sysadmining, but the user might have to log off the network domain/workgroup to re-select the credential file (luser.pwl file or whatever Bill the boys from Redmond call it now). But i'll agree that if IE keeps the authentication after you close the browser, it _is_ borken. Regards, -- Don Read [EMAIL PROTECTED] -- If you are going to sin, sin against God, not the bureaucracy. God will forgive you but the bureaucrats won't. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops running?
Thanks for the idea, John. I know about the auth logout. Unfortunately, that means that when a user clicks "logout", he gets a "log in" prompt! And, in IE, he has to deliberately blank out the password field, THEN hit enter, THEN the prompt will come again, and he has to hit escape. There's another possible path than the above, but it, too, involves a prompt coming up when they hit logout, and they have to clear the password field. If, when they click "logout", and they get the first confusing "log in" prompt, they click "cancel", then they won't be logged out. The browser will continue to remember and report their username and password. Try explaining how to follow these instructions to an inexperienced user! The point of my system was to use, among other things, the session cookie to determine whether the user is in a new session or the same one as before. The logout button sets a flag in the database. In short, then I know, when the user's browser tries to log in again, if he's in the SAME session, and he had previously hit logout, then I will have to send an auth header, with a new realm. But if he's in a NEW session, then I can assume his browser no longer remembers his user/pass, so the actual user must've typed it, so here I will let the user proceed without sending an auth header. If IE 5.5 refuses to clear the user/password field, and refuses to clear the session cookie, then I can't think of any way of him getting to log out without making him go through an annoying second "enter your username and password" prompt...which is most disappointing. It's sounding like, thanks to this terrible behavior of IE 5.5, I may have to switch to not using browser authentication at all, and instead deal with the nuisance or security risk of passing along authentication information in the session, and requiring the user to click "logout" when it's time to logout (forcing a destruction of the information stored in the session). Any suggestions? - Ken At 09:45 PM 3/3/01 -0600, John Henckel wrote: I, too, am using PHP with authentication and IE 5. However I am using .htaccess to generate the headers instead of PHP. I found this text... a quote from PHP manual. Both Netscape and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. This doesn't answer Ken's question, but at least perhaps you can use it to provide a "log-out" button. Let me know if it works or not. At 09:57 PM 3/3/01 -0500, kenzo wrote: I'm experiencing strange behavior with my user authentication scheme in my PHP app, with users using IE 5.5. I am using browser authentication (WWW-Authenticate and 401 headers), "no cache" headers, and PHP 4 sessions. I am finding that even when the user totally quits IE, if he then restarts IE, one or both (haven't isolated for sure yet) of the following happen: - The browser still knows the user and password, and so will send it to the server upon an authentication request under the same realm, without prompting the user. (The user does NOT have "save this password" checked on the user/password prompt when it first comes up.) - The session is still active. A call to session_start() returns the pre-existing session, instead of getting a new one. If the user restarts his machine, IE no longer remembers his user and password, and so a prompt is displayed upon authentication headers being sent. And I presume (not 100% certain) that a new session gets created. Both of these are behaving like IE is still running. Is this a known issue with IE 5.5? Does it just stay running? These symptoms make it sound like this, and less like a logic problem in my PHP app. (I have verified that the username and password are sent when the user gets an authentication prompt, without the user typing anything. I'm assuming there's no possible way that a PHP session can retain this information; I am reading $PHP_AUTH_USER and $PHP_AUTH_PW...there's no way these can be set unless the browser were already running and the user had previously entered them into their prompts, right?) Has anyone else run into this? My application works perfectly under Netscape 4, IE 4, and Opera 5. Thanks, Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
