RE: [PHP] New identification after an error...
David BERCOT wrote:
I use this program to force a user to authenticate :
if (!isset($_SERVER[PHP_AUTH_USER])) {
header(WWW-Authenticate: Basic realm=\Intranet SDSED\);
header(HTTP/1.1 401 Unauthorized);
}
Everything is ok except a detail : if the user makes a mistake (for
example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is
initialised.
So, if he wants to do again the above test, another identification won't
happen (because $_SERVER[PHP_AUTH_USER] is already set).
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
Do you have a clue ?
?
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm='._PRODNAME.'');
header('HTTP/1.0 401 Unauthorized');
echo You are not authorized to enter this page;
} else {
$inUser = $_SERVER['PHP_AUTH_USER'];
$inPWD = $_SERVER['PHP_AUTH_PW'];
if (strcmp($inUser, 'me') == 0 strcmp($inPWD, 'me') == 0) {
echo logged in;
} else {
header('WWW-Authenticate: Basic realm='._PRODNAME.'');
header('HTTP/1.0 401 Unauthorized');
echo You are not authorized to enter this page;
}
}
?
HTH
Albert
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.21/235 - Release Date: 2006/01/19
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
David
David BERCOT wrote:
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
http://www.php.net/unset
e.g. unset($_SERVER['PHP_AUTH_USER']);
It might, however, be better practice to used an authorisation state
variable, or something similar, i.e.
if (! $auth) {
// HTTP Headers
}
David
--
David Grant
http://www.grant.org.uk/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
David BERCOT wrote:
Hi,
I use this program to force a user to authenticate :
if (!isset($_SERVER[PHP_AUTH_USER])) {
header(WWW-Authenticate: Basic realm=\Intranet SDSED\);
header(HTTP/1.1 401 Unauthorized);
}
Everything is ok except a detail : if the user makes a mistake (for
example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is
initialised.
So, if he wants to do again the above test, another identification won't
happen (because $_SERVER[PHP_AUTH_USER] is already set).
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
Do you have a clue ?
there is also $_SERVER[PHP_AUTH_PWD] which you can check.
and rather than just checking whether $_SERVER[PHP_AUTH_USER] is set
why not also check that the contained value is something valid?
you can start by checking that $_SERVER[PHP_AUTH_USER] is not empty:
if (!isset($_SERVER[PHP_AUTH_USER]) || empty($_SERVER[PHP_AUTH_USER])) {
// send headers
}
or (pseudocode):
if (!isset($_SERVER[PHP_AUTH_USER])
|| empty($_SERVER[PHP_AUTH_USER])
|| !isValidUserName($_SERVER[PHP_AUTH_USER]))
{
// send headers
}
Thank you very much.
David.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
On 20 Jan 2006, at 14:24, David BERCOT wrote:
I use this program to force a user to authenticate :
if (!isset($_SERVER[PHP_AUTH_USER])) {
header(WWW-Authenticate: Basic realm=\Intranet SDSED\);
header(HTTP/1.1 401 Unauthorized);
}
Everything is ok except a detail : if the user makes a mistake (for
example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is
initialised.
So, if he wants to do again the above test, another identification
won't
happen (because $_SERVER[PHP_AUTH_USER] is already set).
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
You could either insert a second check (after the PHP AUTH USER
isset) along the lines of is_empty(), or just replace the isset with
is_empty() entirely.
Cheers,
Rich
--
http://www.corephp.co.uk
Zend Certified Engineer
PHP Development Services
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
David BERCOT wrote:
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
http://www.php.net/unset
e.g. unset($_SERVER['PHP_AUTH_USER']);
It might, however, be better practice to used an authorisation state
variable, or something similar, i.e.
if (! $auth) {
// HTTP Headers
}
OK. Thank you very much.
David.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
On Fri, January 20, 2006 8:24 am, David BERCOT wrote:
I use this program to force a user to authenticate :
if (!isset($_SERVER[PHP_AUTH_USER])) {
header(WWW-Authenticate: Basic realm=\Intranet SDSED\);
header(HTTP/1.1 401 Unauthorized);
}
Everything is ok except a detail : if the user makes a mistake (for
example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is
initialised.
So, if he wants to do again the above test, another identification
won't
happen (because $_SERVER[PHP_AUTH_USER] is already set).
Well, yeah.
You kind of need to send the headers if:
PHP_AUTH_USER is not set
PHP_AUTH_USER is not valid user
PHP_AUTH_PW is not set
PHP_AUTH_PW is not valid
So you've only done 25% of the job, so far. :-)
Only if all four conditions are met is the user really valid.
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
$_SERVER should be treated as a read-only variable.
NEVER stuff something into it.
In this case, not only is it just a Bad Idea to stuff something in
there, it's pointless.
The *browser* sends the values for PHP_AUTH_USER and _PW on every
single request, and PHP crams whatever the browser sends into
$_SERVER.
And whatever you put in there during your last script is long long
long gone before any of this happens.
But even if it was still there, it would get over-written by the
browser-apache-php process.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
On Fri, January 20, 2006 9:32 am, David BERCOT wrote:
David BERCOT wrote:
I've tried :
$_SERVER[PHP_AUTH_USER] = NULL;
without succes...
http://www.php.net/unset
e.g. unset($_SERVER['PHP_AUTH_USER']);
It might, however, be better practice to used an authorisation state
variable, or something similar, i.e.
if (! $auth) {
// HTTP Headers
}
This kind of coding is EXACTLY what makes register_globals ON so
dangerous.
Avoid it at all costs.
If you don't understand why, start reading about register_globals at
http://php.net and keep reading until you DO understand it.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
