Re: [PHP] Re: Authentication with PHP and HTTP
using this method for a production environment is incredibly vulnerable. Just think of having a link on that page to some other site (or even having a third-party banner displayed) on which there is a hit counter (and on 90% there are) those can simply read the link in their logs. Never ever use it if security is of a minimum importance or you're completely sure you know what you do. -- Maxim Maletsky [EMAIL PROTECTED] On Tue, 5 Nov 2002 02:04:52 +0100 silver [EMAIL PROTECTED] wrote: hi - I'm not quite sure if this will help you, but lets give it a try: you could use this URL syntax: http://user:password;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? greets, _andi Phillip Erskine [EMAIL PROTECTED] schrieb im Newsbeitrag news:F13i7M4BAyxJMXehYSo4e46;hotmail.com... I have a site that uses PHP/MySQL authentication for one section and Apache/HTTP authentication for another. Eventually I would like to use only PHP and MySQL for authenticating users, but in the meantime, I have to use both. First, users will log in to the main section of the site and I will use PHP session variables to maintain state for that section. What I would like to be able to do is allow users to click a link that would redirect them to the other section of the site and automatically log them in. The section of the site that users will be redirected to uses .htaccess and .htpassword files to enforce HTTP authentication. Is this possible? If so, how? = http://www.pverskine.com/ _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
Just never do it period...that is the best habit to have... That is poor coding on the programmers part... On Fri, 2002-11-15 at 00:59, Maxim Maletsky wrote: using this method for a production environment is incredibly vulnerable. Just think of having a link on that page to some other site (or even having a third-party banner displayed) on which there is a hit counter (and on 90% there are) those can simply read the link in their logs. Never ever use it if security is of a minimum importance or you're completely sure you know what you do. -- Maxim Maletsky [EMAIL PROTECTED] On Tue, 5 Nov 2002 02:04:52 +0100 silver [EMAIL PROTECTED] wrote: hi - I'm not quite sure if this will help you, but lets give it a try: you could use this URL syntax: http://user:password;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? greets, _andi Phillip Erskine [EMAIL PROTECTED] schrieb im Newsbeitrag news:F13i7M4BAyxJMXehYSo4e46;hotmail.com... I have a site that uses PHP/MySQL authentication for one section and Apache/HTTP authentication for another. Eventually I would like to use only PHP and MySQL for authenticating users, but in the meantime, I have to use both. First, users will log in to the main section of the site and I will use PHP session variables to maintain state for that section. What I would like to be able to do is allow users to click a link that would redirect them to the other section of the site and automatically log them in. The section of the site that users will be redirected to uses .htaccess and .htpassword files to enforce HTTP authentication. Is this possible? If so, how? = http://www.pverskine.com/ _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
very true :) thx - I will keep that in mind... Chris Shiflett [EMAIL PROTECTED] schrieb im Newsbeitrag news:3DC71CBE.2050703;php.net... You can hide URLs by fetching them with one of your own PHP scripts: base href=www.site.com ? readfile(http://user:password;www.site.com/); ? I think it might be at least better than frames. :-) Chris silver wrote: you could use this URL syntax: http://user:password;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
I've tried both methods without success. header(Location: http://(user):(pass)www.mysite.com); does the transfer but I still get prompted for a username and password by Apache readfile(http://(user):(pass)www.mysite.com); brings a warning message. Warning: readfile(http://...;www.mysite.com/) - Success in redirect.php on line 2 It's a warning but says Success? Ed On Mon, 4 Nov 2002, Chris Shiflett wrote: You can hide URLs by fetching them with one of your own PHP scripts: base href=www.site.com ? readfile(http://user:password;www.site.com/); ? I think it might be at least better than frames. :-) Chris silver wrote: you could use this URL syntax: http://user:password;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Authentication with PHP and HTTP
hi - I'm not quite sure if this will help you, but lets give it a try: you could use this URL syntax: http://user:password;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? greets, _andi Phillip Erskine [EMAIL PROTECTED] schrieb im Newsbeitrag news:F13i7M4BAyxJMXehYSo4e46;hotmail.com... I have a site that uses PHP/MySQL authentication for one section and Apache/HTTP authentication for another. Eventually I would like to use only PHP and MySQL for authenticating users, but in the meantime, I have to use both. First, users will log in to the main section of the site and I will use PHP session variables to maintain state for that section. What I would like to be able to do is allow users to click a link that would redirect them to the other section of the site and automatically log them in. The section of the site that users will be redirected to uses .htaccess and .htpassword files to enforce HTTP authentication. Is this possible? If so, how? = http://www.pverskine.com/ _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
You can hide URLs by fetching them with one of your own PHP scripts: base href=www.site.com ? readfile(http://user:password;www.site.com/); ? I think it might be at least better than frames. :-) Chris silver wrote: you could use this URL syntax: http://user:password;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php