Fwd: [PHP] Basic Auth

[Stuart Dallas]

Oops, sent this message from the wrong email address, so the list rejected it.

Begin forwarded message:

 From: Stuart Dallas stu...@3ft9.com
 Subject: Re: [PHP] Basic Auth
 Date: 27 August 2013 16:36:27 BST
 To: jim.gi...@albanyhandball.com
 Cc: php-general@lists.php.net
 
 On 27 Aug 2013, at 15:59, Jim Giner jim.gi...@albanyhandball.com wrote:
 
 On 8/27/2013 10:55 AM, Stuart Dallas wrote:
 On 27 Aug 2013, at 15:51, Jim Giner jim.gi...@albanyhandball.com wrote:
 
 On 8/27/2013 10:39 AM, Stuart Dallas wrote:
 On 27 Aug 2013, at 15:18, Jim Giner jim.gi...@albanyhandball.com wrote:
 
 On 8/27/2013 10:14 AM, Stuart Dallas wrote:
 It's not really confusing so long as you understand how PHP works. Each 
 request is brand new - nothing is retained from previous requests. The 
 two variable you're changing are set by PHP when the request comes in 
 from the browser. The fact you changed them in a previous request is 
 irrelevant because 1) that change was not communicated to the browser 
 in any way, and 2) PHP doesn't retain any data between requests [1].
 
 If you've been coding assuming that changes you make to global 
 variables are retained between requests you must have been having some 
 pretty frustrating times!
 
 -Stuart
 
 Not really - this is the first time I've had something not work as 
 expected.
 That was said with my tongue very much firmly in my cheek, and so is this:
 
  I've been playing with dynamite since I was 4 - hey, it must be a safe, 
 proper thing to do!
 
 Just because nothing has blown up in your face yet doesn't mean it won't, 
 and I'm concerned that you might not actually see how important it is to 
 make sure you're using the tool correctly.
 
 -Stuart
 
 This may very well be the first time with this problem because I haven't 
 tried anything like this before.
 
 That said - can you give me some pointers on how to do the JS solution?  
 I'm calling a script that is similar to the one I used to signon.  It 
 sends out something like:
 
   header(WWW-Authenticate: Basic realm=$realm);
   header('HTTP/1.0 401 Unauthorized');
   echo h3You have entered invalid credentialsbr;
   echo Click a href='$return_url' here /a to return to the menu.;
   exit();
 
 when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
 
 So - to effect a signoff, what does one do?   You said to use an invalid 
 value, but what do I do with that?  How do I ignore the 401?   Now I'm 
 getting the signin dialog and I'm stuck.
 You don't need to do anything on the server-side. You simply need a JS 
 function that sends a request to a URL that requires basic auth, with an 
 Authenticate header that contains an invalid username and password. Then, 
 when your server responds with a 401 Authentication required (which it 
 should already do for an invalid request) you can set location.href to 
 whatever URL you want the logged out user to see.
 
 If you don't know how to make a request from Javascript -- commonly known 
 as an AJAX request -- then google for it. I'd recommend the jquery library 
 if you want a very easy way to do it.
 
 -Stuart
 
 I am familiar with an ajax request (xmlhttprequest) and I have a function 
 ready to call a script to effect this signoff.  I just don't know what to 
 put in that php script I'm calling.  From what you just wrote I'm guessing 
 that my headers as shown previously  may be close - Im confused about your 
 mention of contains an invalid username  As you can see from my sample 
 I don't include such a thing.
 
 For the last time: YOU DO NOT NEED TO MAKE ANY CHANGES SERVER-SIDE.
 
 From the Javascript, request any URL that requires authentication - it 
 doesn't matter. When you make the AJAX request, pass an Authentication header 
 that contains an invalid username and password. If you don't know what I mean 
 by that, please google how HTTP Basic Auth works.
 
 -Stuart
 
 -- 
 Stuart Dallas
 3ft9 Ltd
 http://3ft9.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Fwd: [PHP] Basic Auth

[Jim Giner]

On 8/27/2013 11:56 AM, Stuart Dallas wrote:

Oops, sent this message from the wrong email address, so the list rejected it.

Begin forwarded message:


From: Stuart Dallas stu...@3ft9.com
Subject: Re: [PHP] Basic Auth
Date: 27 August 2013 16:36:27 BST
To: jim.gi...@albanyhandball.com
Cc: php-general@lists.php.net

On 27 Aug 2013, at 15:59, Jim Giner jim.gi...@albanyhandball.com wrote:


On 8/27/2013 10:55 AM, Stuart Dallas wrote:

On 27 Aug 2013, at 15:51, Jim Giner jim.gi...@albanyhandball.com wrote:


On 8/27/2013 10:39 AM, Stuart Dallas wrote:

On 27 Aug 2013, at 15:18, Jim Giner jim.gi...@albanyhandball.com wrote:


On 8/27/2013 10:14 AM, Stuart Dallas wrote:

It's not really confusing so long as you understand how PHP works. Each request 
is brand new - nothing is retained from previous requests. The two variable 
you're changing are set by PHP when the request comes in from the browser. The 
fact you changed them in a previous request is irrelevant because 1) that 
change was not communicated to the browser in any way, and 2) PHP doesn't 
retain any data between requests [1].

If you've been coding assuming that changes you make to global variables are 
retained between requests you must have been having some pretty frustrating 
times!

-Stuart


Not really - this is the first time I've had something not work as expected.

That was said with my tongue very much firmly in my cheek, and so is this:

  I've been playing with dynamite since I was 4 - hey, it must be a safe, 
proper thing to do!

Just because nothing has blown up in your face yet doesn't mean it won't, and 
I'm concerned that you might not actually see how important it is to make sure 
you're using the tool correctly.

-Stuart


This may very well be the first time with this problem because I haven't tried 
anything like this before.

That said - can you give me some pointers on how to do the JS solution?  I'm 
calling a script that is similar to the one I used to signon.  It sends out 
something like:

   header(WWW-Authenticate: Basic realm=$realm);
   header('HTTP/1.0 401 Unauthorized');
   echo h3You have entered invalid credentialsbr;
   echo Click a href='$return_url' here /a to return to the menu.;
   exit();

when it doesn't detect the PHP_AUTH_USER or it is an invalid value.

So - to effect a signoff, what does one do?   You said to use an invalid value, 
but what do I do with that?  How do I ignore the 401?   Now I'm getting the 
signin dialog and I'm stuck.

You don't need to do anything on the server-side. You simply need a JS function 
that sends a request to a URL that requires basic auth, with an Authenticate 
header that contains an invalid username and password. Then, when your server 
responds with a 401 Authentication required (which it should already do for an 
invalid request) you can set location.href to whatever URL you want the logged 
out user to see.

If you don't know how to make a request from Javascript -- commonly known as an 
AJAX request -- then google for it. I'd recommend the jquery library if you 
want a very easy way to do it.

-Stuart


I am familiar with an ajax request (xmlhttprequest) and I have a function ready to call a 
script to effect this signoff.  I just don't know what to put in that php script I'm calling.  
From what you just wrote I'm guessing that my headers as shown previously  may be close - 
Im confused about your mention of contains an invalid username  As you 
can see from my sample I don't include such a thing.


For the last time: YOU DO NOT NEED TO MAKE ANY CHANGES SERVER-SIDE.

 From the Javascript, request any URL that requires authentication - it doesn't 
matter. When you make the AJAX request, pass an Authentication header that 
contains an invalid username and password. If you don't know what I mean by 
that, please google how HTTP Basic Auth works.

-Stuart

--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/


It's not the basic auth that I'm having the issue with - it's the 
'header' thing and understanding what a 401 is doing and how I'm to 
ignore it.  Never had to play with these things before and this part is 
all new.  Let's face it - I'm an applications guy, not a systems guy. 
All this talk of headers and such is greek to me.


I have spent the last hour googling away on this topic - still no 
understanding.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php