subject:"\[PHP\] header\('www\-Authenticate ...'\) Problem"

Re: [PHP] header('www-Authenticate ...') Problem

2005-03-01 Thread Richard Lynch

 doesn't the browser only send the AUTH_USER  AUTH_PW if it gets
 the WWW-Authenticate header?

I do believe it will re-send them on each and every request from then on...

Could be wrong, but that's the way I've always structured my code, and it
seemed to work...

The Authenticate header is what causes the popup window to appear.

The browser sending the right user/pass combo is what tells me not to send
out the Authenticate header to make that popup appear.

Maybe I've been doing it wrong all these years, or at least thinking of
the process incorrectly.

Test and see.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] header('www-Authenticate ...') Problem

2005-02-28 Thread dpgirago

I can't remember where the example below came from, but the event handler 
for the 're-authenticate' button doesn't allow a re-authentication 
following a successful login. If you run the code, it allows you to login 
the first time, or even catch the incorrect password and display via the 
line with the comments in the authenticate function after 3 failures. But 
after a successful login, trying to re-authenticate by hitting the button 
only redisplays the network login box without the password. And after 3 
failures, 
Password =  . $_SERVER['PHP_AUTH_PW'] displays just Password =  so 
obviously $_SERVER['PHP_AUTH_PW'] is never getting a value the second time 
through. 

This IS NOT a mission critical problem, but it is bugging me. It perhaps 
is an Apache issue...?

Testing environment is Win2k, Apache 1.3.31 with SSL ( though behavior is 
the same on Apache without SSL), and PHP 4.3.7.

Comment very welcomed.

Thanks much,

David

?php

ERROR_REPORTING(E_ALL ^ E_NOTICE);

  function authenticate()
  {
header('WWW-Authenticate: Basic realm=Test Authentication 
System');
header('HTTP/1.0 401 Unauthorized');
/** ? **/  echo Password =  . $_SERVER['PHP_AUTH_PW'] . BR; // used 
for debugging
echo You must enter a valid login name and password to access 
this resource\n;
exit;
  }

$qualifiedUsers = array('user1, user2');
$qualifiedPasswords = array('password1, password2');

/**
 *  reset event handler does not work as expected*
 **/
if(IsSet($_POST['authenticator'])  $_POST['authenticator'])
{
unset($qualifiedUsers);
unset($qualifiedPasswords);
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
unset($_POST['authenticator']);
}
/***/

// no username
if(!isset($_SERVER['PHP_AUTH_USER']))
{
authenticate();
}
//username but not on list
elseif(isset($_SERVER['PHP_AUTH_USER']) 
!in_array($_SERVER['PHP_AUTH_USER'], $qualifiedUsers))
{
authenticate();
}
//username ok, but no PW or not on list
elseif(isset($_SERVER['PHP_AUTH_USER']) 
in_array($user = $_SERVER['PHP_AUTH_USER'], 
$qualifiedUsers) 
!isset($_SERVER['PHP_AUTH_PW']) ||
!in_array($_SERVER['PHP_AUTH_PW'], $qualifiedPasswords))
{
authenticate();
}

//username / PW ok
elseif(isset($_SERVER['PHP_AUTH_USER'])  
in_array($user = $_SERVER['PHP_AUTH_USER'], $qualifiedUsers) 
isset($_SERVER['PHP_AUTH_PW']) 
in_array($pw = $_SERVER['PHP_AUTH_PW'], $qualifiedUsers))
{
echo Welcome, {$_SERVER['PHP_AUTH_USER']}, using password 
{$_SERVER['PHP_AUTH_PW']}.;
echo form action='$_PHP_SELF' METHOD='POST'\n;
echo input type='hidden' name='SeenBefore' value='1'\n;
echo input type='submit' name=authenticator value='Re 
Authenticate'\n;
echo /form/p\n;
}

unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);

?

Re: [PHP] header('www-Authenticate ...') Problem

2005-02-28 Thread Richard Lynch

[EMAIL PROTECTED] wrote:
 I can't remember where the example below came from, but the event handler
 for the 're-authenticate' button doesn't allow a re-authentication
 /**
  *  reset event handler does not work as expected*
  **/
 if(IsSet($_POST['authenticator'])  $_POST['authenticator'])
 {
 unset($qualifiedUsers);
 unset($qualifiedPasswords);
 unset($_SERVER['PHP_AUTH_USER']);
 unset($_SERVER['PHP_AUTH_PW']);
 unset($_POST['authenticator']);

Remember how these values come in to this point:

The *BROWSER* remembers your login credentials, and re-sends them with
each request.

unset($_SERVER['PHP_AUTH_USER']);

is kinda pointless.

It will unset() it for this script, but the browser is gonna re-send them
on the next page hit.

Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for
that.  Sorry.

What you gotta do is change the REALM out from under them.

In other words, if user X is logged in with HTTP Basic authentication, and
you want to log them out, from that moment forward, send:

header('WWW-Authenticate: Basic realm=Some other Realm');

So you'll need to track used realms, or perhaps keep a $counter going
for each user, and when they log out, Whammo change the Realm out from
under them.

At least, that's how I was told to do it.

Somebody said there was a way to log somebody out with other headers, but
I always forget what it is...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] header('www-Authenticate ...') Problem

2005-02-28 Thread Jochem Maas

Richard Lynch wrote:
[EMAIL PROTECTED] wrote:
I can't remember where the example below came from, but the event handler
for the 're-authenticate' button doesn't allow a re-authentication
/**
*  reset event handler does not work as expected*
**/
if(IsSet($_POST['authenticator'])  $_POST['authenticator'])
{
   unset($qualifiedUsers);
   unset($qualifiedPasswords);
   unset($_SERVER['PHP_AUTH_USER']);
   unset($_SERVER['PHP_AUTH_PW']);
   unset($_POST['authenticator']);

Remember how these values come in to this point:
The *BROWSER* remembers your login credentials, and re-sends them with
each request.
unset($_SERVER['PHP_AUTH_USER']);
is kinda pointless.
It will unset() it for this script, but the browser is gonna re-send them
on the next page hit.
doesn't the browser only send the AUTH_USER  AUTH_PW if it gets
the WWW-Authenticate header?
Ain't no way to make it *NOT* send them, cuz the HTTP spec didn't plan for
that.  Sorry.
What you gotta do is change the REALM out from under them.
In other words, if user X is logged in with HTTP Basic authentication, and
you want to log them out, from that moment forward, send:
header('WWW-Authenticate: Basic realm=Some other Realm');
So you'll need to track used realms, or perhaps keep a $counter going
for each user, and when they log out, Whammo change the Realm out from
under them.
At least, that's how I was told to do it.
Somebody said there was a way to log somebody out with other headers, but
I always forget what it is...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] header('www-Authenticate ...') Problem

[PHP] header('www-Authenticate ...') Problem

Re: [PHP] header('www-Authenticate ...') Problem

Re: [PHP] header('www-Authenticate ...') Problem

4 matches

Site Navigation

Mail list logo

Footer information