Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
Michael A. Peters mpet...@mac.com wrote in message news:49e4d4ca.7060...@mac.com... scubak1w1 wrote: Michael A. Peters mpet...@mac.com wrote in message news:49e41267.5010...@mac.com... scubak1w1 wrote: I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. [snip] I don't know much about active directory but I thought one of the points of AD was to eliminate the need for a user to log in since they are already authenticated by the centralized AD system. Thanks Micheal for helping me clarify the situation, I appreciate your expertise... and sorry for the delay in replying, it has been a busy week so far! smile I am usings AD, as mentioned and as you probably inferred, so I don't have to sync credentials on my system with the 500± users in the AD... (i.e., when someone leaves the company, new hires, password changes, etc, etc) If you want to use active directory as the only user authentication method then as long as the browser sends the credentials it will verify and the user is logged in. Yep, that is it - not forgetting that users may use the intranet site from the company internet site on PCs not logged on to the network... You could probably use password _in addition to_ active directory to authenticate a php session, allowing you increased security over just a session token (IE browser has to send valid php session AND active directory credentials) but if you want a user to have to login in addition to active directory credentials, use php sessions on your server, and upon succesful login w/ proper AD credentials set a session variable that says they are authenticated. OK, that is where I am at now... glad to see I am following 'standard procedure' grin When they log out, unset the session variable that says they are logged in and expire the session. Then regardless of their AD credentials, they will have to log in again to be verified by the session system. Now HERE is where I think I have having the issues... I can use PHP to log them off my site, server side, and hence demand to see their AD credentials again... BUT from my reading and understanding, the browser is caching this info - and so when it sees the request for AD credentials it says oh, I have those from a few minutes ago, here you go... (i.e., the same browser session on the clients side if they haven't closed their browser in the meantime...), thereby relogging them on server side - but I SSL doesn't do anything magic as far as user authentication is concerned, it simply provides a public/private key encryption so that (theoretically) only the browser can decrypt what the server sends and only the server can decrypt what the browser sends. That distinction is useful to know / be reminded about, thank you - since IIS integrates SSL and AD transparently to me as a non-IT-admin person, I guess I was not making that distinction clearly enough... So (assuming I have this right) is there a way to have PHP clear the user's browser cache of the appropiate AD credentials if the user is in the same browser session and then move to, say, www.google.com? Or should I be looking at some JS? Or expending my efforts on other 'projects'?smile -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
Michael A. Peters mpet...@mac.com wrote in message news:49e41267.5010...@mac.com... scubak1w1 wrote: I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. I have been Googling et al. for a way to log the user off the site fully... I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in... Sounds like you are not properly expiring the session. The only login credentials that ever should be stored with the client is a session id. Expire the session id - and the session ID in their cookie becomes completely meaningless. OK, I will go back and reread... My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is: //grab the logged on user, depending on whether they logged on with the domain prepended if(substr_count($_SERVER['REMOTE_USER'],\\) != 0) { //the logon has a domain prepended before the 'actual' UID list($logged_on_domain, $logged_on_user) = split('', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) [domain]\ portion and essentially discard --NOTE USE OF FOUR(4)backslashes as needs to be *double escaped* } else { //no domain (assume) prepended before the back slash, so just the 'actual' UID $logged_on_user = $_SERVER['REMOTE_USER']; }; I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in... So maybe my logging off question is not really PHP-specific? Hmmm I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you... Regards, GREG... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
scubak1w1 wrote: Michael A. Peters mpet...@mac.com wrote in message news:49e41267.5010...@mac.com... scubak1w1 wrote: I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. I have been Googling et al. for a way to log the user off the site fully... I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in... Sounds like you are not properly expiring the session. The only login credentials that ever should be stored with the client is a session id. Expire the session id - and the session ID in their cookie becomes completely meaningless. OK, I will go back and reread... My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is: //grab the logged on user, depending on whether they logged on with the domain prepended if(substr_count($_SERVER['REMOTE_USER'],\\) != 0) { //the logon has a domain prepended before the 'actual' UID list($logged_on_domain, $logged_on_user) = split('', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) [domain]\ portion and essentially discard --NOTE USE OF FOUR(4)backslashes as needs to be *double escaped* } else { //no domain (assume) prepended before the back slash, so just the 'actual' UID $logged_on_user = $_SERVER['REMOTE_USER']; }; I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in... So maybe my logging off question is not really PHP-specific? Hmmm I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you... I don't know much about active directory but I thought one of the points of AD was to eliminate the need for a user to log in since they are already authenticated by the centralized AD system. If you want to use active directory as the only user authentication method then as long as the browser sends the credentials it will verify and the user is logged in. You could probably use password _in addition to_ active directory to authenticate a php session, allowing you increased security over just a session token (IE browser has to send valid php session AND active directory credentials) but if you want a user to have to login in addition to active directory credentials, use php sessions on your server, and upon succesful login w/ proper AD credentials set a session variable that says they are authenticated. When they log out, unset the session variable that says they are logged in and expire the session. Then regardless of their AD credentials, they will have to log in again to be verified by the session system. SSL doesn't do anything magic as far as user authentication is concerned, it simply provides a public/private key encryption so that (theoretically) only the browser can decrypt what the server sends and only the server can decrypt what the browser sends. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache
scubak1w1 wrote: Hello, I have a series of web sites which use https:// authentication (using AD integration to 'check the credentials' as it were) - all seems to be working well.. I have been Googling et al. for a way to log the user off the site fully... I can do a series of things on the server side per Dreamweaver's Server Behaviour / User Authentication | Log Out User, etc - but the client's browser cache (?) still keeps the credentials, and so ifthey return to the site (say, with their back button) they can get right back in... Sounds like you are not properly expiring the session. The only login credentials that ever should be stored with the client is a session id. Expire the session id - and the session ID in their cookie becomes completely meaningless. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php