Re: [PHP] header('www-Authenticate ...') Problem
doesn't the browser only send the AUTH_USER AUTH_PW if it gets the WWW-Authenticate header? I do believe it will re-send them on each and every request from then on... Could be wrong, but that's the way I've always structured my code, and it seemed to work... The Authenticate header is what causes the popup window to appear. The browser sending the right user/pass combo is what tells me not to send out the Authenticate header to make that popup appear. Maybe I've been doing it wrong all these years, or at least thinking of the process incorrectly. Test and see. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] header('www-Authenticate ...') Problem
I can't remember where the example below came from, but the event handler for the 're-authenticate' button doesn't allow a re-authentication following a successful login. If you run the code, it allows you to login the first time, or even catch the incorrect password and display via the line with the comments in the authenticate function after 3 failures. But after a successful login, trying to re-authenticate by hitting the button only redisplays the network login box without the password. And after 3 failures, Password = . $_SERVER['PHP_AUTH_PW'] displays just Password = so obviously $_SERVER['PHP_AUTH_PW'] is never getting a value the second time through. This IS NOT a mission critical problem, but it is bugging me. It perhaps is an Apache issue...? Testing environment is Win2k, Apache 1.3.31 with SSL ( though behavior is the same on Apache without SSL), and PHP 4.3.7. Comment very welcomed. Thanks much, David ?php ERROR_REPORTING(E_ALL ^ E_NOTICE); function authenticate() { header('WWW-Authenticate: Basic realm=Test Authentication System'); header('HTTP/1.0 401 Unauthorized'); /** ? **/ echo Password = . $_SERVER['PHP_AUTH_PW'] . BR; // used for debugging echo You must enter a valid login name and password to access this resource\n; exit; } $qualifiedUsers = array('user1, user2'); $qualifiedPasswords = array('password1, password2'); /** * reset event handler does not work as expected* **/ if(IsSet($_POST['authenticator']) $_POST['authenticator']) { unset($qualifiedUsers); unset($qualifiedPasswords); unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); unset($_POST['authenticator']); } /***/ // no username if(!isset($_SERVER['PHP_AUTH_USER'])) { authenticate(); } //username but not on list elseif(isset($_SERVER['PHP_AUTH_USER']) !in_array($_SERVER['PHP_AUTH_USER'], $qualifiedUsers)) { authenticate(); } //username ok, but no PW or not on list elseif(isset($_SERVER['PHP_AUTH_USER']) in_array($user = $_SERVER['PHP_AUTH_USER'], $qualifiedUsers) !isset($_SERVER['PHP_AUTH_PW']) || !in_array($_SERVER['PHP_AUTH_PW'], $qualifiedPasswords)) { authenticate(); } //username / PW ok elseif(isset($_SERVER['PHP_AUTH_USER']) in_array($user = $_SERVER['PHP_AUTH_USER'], $qualifiedUsers) isset($_SERVER['PHP_AUTH_PW']) in_array($pw = $_SERVER['PHP_AUTH_PW'], $qualifiedUsers)) { echo Welcome, {$_SERVER['PHP_AUTH_USER']}, using password {$_SERVER['PHP_AUTH_PW']}.; echo form action='$_PHP_SELF' METHOD='POST'\n; echo input type='hidden' name='SeenBefore' value='1'\n; echo input type='submit' name=authenticator value='Re Authenticate'\n; echo /form/p\n; } unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); ?
Re: [PHP] header('www-Authenticate ...') Problem
[EMAIL PROTECTED] wrote: I can't remember where the example below came from, but the event handler for the 're-authenticate' button doesn't allow a re-authentication /** * reset event handler does not work as expected* **/ if(IsSet($_POST['authenticator']) $_POST['authenticator']) { unset($qualifiedUsers); unset($qualifiedPasswords); unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); unset($_POST['authenticator']); Remember how these values come in to this point: The *BROWSER* remembers your login credentials, and re-sends them with each request. unset($_SERVER['PHP_AUTH_USER']); is kinda pointless. It will unset() it for this script, but the browser is gonna re-send them on the next page hit. Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for that. Sorry. What you gotta do is change the REALM out from under them. In other words, if user X is logged in with HTTP Basic authentication, and you want to log them out, from that moment forward, send: header('WWW-Authenticate: Basic realm=Some other Realm'); So you'll need to track used realms, or perhaps keep a $counter going for each user, and when they log out, Whammo change the Realm out from under them. At least, that's how I was told to do it. Somebody said there was a way to log somebody out with other headers, but I always forget what it is... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] header('www-Authenticate ...') Problem
Richard Lynch wrote: [EMAIL PROTECTED] wrote: I can't remember where the example below came from, but the event handler for the 're-authenticate' button doesn't allow a re-authentication /** * reset event handler does not work as expected* **/ if(IsSet($_POST['authenticator']) $_POST['authenticator']) { unset($qualifiedUsers); unset($qualifiedPasswords); unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); unset($_POST['authenticator']); Remember how these values come in to this point: The *BROWSER* remembers your login credentials, and re-sends them with each request. unset($_SERVER['PHP_AUTH_USER']); is kinda pointless. It will unset() it for this script, but the browser is gonna re-send them on the next page hit. doesn't the browser only send the AUTH_USER AUTH_PW if it gets the WWW-Authenticate header? Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for that. Sorry. What you gotta do is change the REALM out from under them. In other words, if user X is logged in with HTTP Basic authentication, and you want to log them out, from that moment forward, send: header('WWW-Authenticate: Basic realm=Some other Realm'); So you'll need to track used realms, or perhaps keep a $counter going for each user, and when they log out, Whammo change the Realm out from under them. At least, that's how I was told to do it. Somebody said there was a way to log somebody out with other headers, but I always forget what it is... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php