RE: [PHP] New identification after an error...
David BERCOT wrote: I use this program to force a user to authenticate : if (!isset($_SERVER[PHP_AUTH_USER])) { header(WWW-Authenticate: Basic realm=\Intranet SDSED\); header(HTTP/1.1 401 Unauthorized); } Everything is ok except a detail : if the user makes a mistake (for example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is initialised. So, if he wants to do again the above test, another identification won't happen (because $_SERVER[PHP_AUTH_USER] is already set). I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... Do you have a clue ? ? if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm='._PRODNAME.''); header('HTTP/1.0 401 Unauthorized'); echo You are not authorized to enter this page; } else { $inUser = $_SERVER['PHP_AUTH_USER']; $inPWD = $_SERVER['PHP_AUTH_PW']; if (strcmp($inUser, 'me') == 0 strcmp($inPWD, 'me') == 0) { echo logged in; } else { header('WWW-Authenticate: Basic realm='._PRODNAME.''); header('HTTP/1.0 401 Unauthorized'); echo You are not authorized to enter this page; } } ? HTH Albert -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/235 - Release Date: 2006/01/19 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
David David BERCOT wrote: I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... http://www.php.net/unset e.g. unset($_SERVER['PHP_AUTH_USER']); It might, however, be better practice to used an authorisation state variable, or something similar, i.e. if (! $auth) { // HTTP Headers } David -- David Grant http://www.grant.org.uk/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
David BERCOT wrote: Hi, I use this program to force a user to authenticate : if (!isset($_SERVER[PHP_AUTH_USER])) { header(WWW-Authenticate: Basic realm=\Intranet SDSED\); header(HTTP/1.1 401 Unauthorized); } Everything is ok except a detail : if the user makes a mistake (for example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is initialised. So, if he wants to do again the above test, another identification won't happen (because $_SERVER[PHP_AUTH_USER] is already set). I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... Do you have a clue ? there is also $_SERVER[PHP_AUTH_PWD] which you can check. and rather than just checking whether $_SERVER[PHP_AUTH_USER] is set why not also check that the contained value is something valid? you can start by checking that $_SERVER[PHP_AUTH_USER] is not empty: if (!isset($_SERVER[PHP_AUTH_USER]) || empty($_SERVER[PHP_AUTH_USER])) { // send headers } or (pseudocode): if (!isset($_SERVER[PHP_AUTH_USER]) || empty($_SERVER[PHP_AUTH_USER]) || !isValidUserName($_SERVER[PHP_AUTH_USER])) { // send headers } Thank you very much. David. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
On 20 Jan 2006, at 14:24, David BERCOT wrote: I use this program to force a user to authenticate : if (!isset($_SERVER[PHP_AUTH_USER])) { header(WWW-Authenticate: Basic realm=\Intranet SDSED\); header(HTTP/1.1 401 Unauthorized); } Everything is ok except a detail : if the user makes a mistake (for example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is initialised. So, if he wants to do again the above test, another identification won't happen (because $_SERVER[PHP_AUTH_USER] is already set). I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... You could either insert a second check (after the PHP AUTH USER isset) along the lines of is_empty(), or just replace the isset with is_empty() entirely. Cheers, Rich -- http://www.corephp.co.uk Zend Certified Engineer PHP Development Services -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
David BERCOT wrote: I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... http://www.php.net/unset e.g. unset($_SERVER['PHP_AUTH_USER']); It might, however, be better practice to used an authorisation state variable, or something similar, i.e. if (! $auth) { // HTTP Headers } OK. Thank you very much. David. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
On Fri, January 20, 2006 8:24 am, David BERCOT wrote: I use this program to force a user to authenticate : if (!isset($_SERVER[PHP_AUTH_USER])) { header(WWW-Authenticate: Basic realm=\Intranet SDSED\); header(HTTP/1.1 401 Unauthorized); } Everything is ok except a detail : if the user makes a mistake (for example, a bad password), the variable $_SERVER[PHP_AUTH_USER] is initialised. So, if he wants to do again the above test, another identification won't happen (because $_SERVER[PHP_AUTH_USER] is already set). Well, yeah. You kind of need to send the headers if: PHP_AUTH_USER is not set PHP_AUTH_USER is not valid user PHP_AUTH_PW is not set PHP_AUTH_PW is not valid So you've only done 25% of the job, so far. :-) Only if all four conditions are met is the user really valid. I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... $_SERVER should be treated as a read-only variable. NEVER stuff something into it. In this case, not only is it just a Bad Idea to stuff something in there, it's pointless. The *browser* sends the values for PHP_AUTH_USER and _PW on every single request, and PHP crams whatever the browser sends into $_SERVER. And whatever you put in there during your last script is long long long gone before any of this happens. But even if it was still there, it would get over-written by the browser-apache-php process. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] New identification after an error...
On Fri, January 20, 2006 9:32 am, David BERCOT wrote: David BERCOT wrote: I've tried : $_SERVER[PHP_AUTH_USER] = NULL; without succes... http://www.php.net/unset e.g. unset($_SERVER['PHP_AUTH_USER']); It might, however, be better practice to used an authorisation state variable, or something similar, i.e. if (! $auth) { // HTTP Headers } This kind of coding is EXACTLY what makes register_globals ON so dangerous. Avoid it at all costs. If you don't understand why, start reading about register_globals at http://php.net and keep reading until you DO understand it. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php