[PHP] HTTP Authentication
Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda
Re: [PHP] HTTP Authentication
Thiago H. Pojda wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, Why don't you let yourself in regardless of the credentials and print them out to make sure they're being evaluated as you expect. - Craige -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication
On Wed, Nov 19, 2008 at 11:34 AM, Craige Leeder [EMAIL PROTECTED] wrote: Thiago H. Pojda wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, Why don't you let yourself in regardless of the credentials and print them out to make sure they're being evaluated as you expect. - Craige I can' t change the WebService, it's not mine. If it were, I could manage to test some stuff but now all I can do is type it's address in my browser, login and see the content I want my app to see. Thanks, -- Thiago Henrique Pojda
RE: [PHP] HTTP Authentication
-Original Message- From: Craige Leeder [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2008 8:35 AM To: Thiago H. Pojda Cc: PHP-General List Subject: Re: [PHP] HTTP Authentication Thiago H. Pojda wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, Why don't you let yourself in regardless of the credentials and print them out to make sure they're being evaluated as you expect. Well... he said he needs to access a WS, not that he administrates it or has any control over the authentication, etc. As for the Basic Authentication, I believe you can send the authentication info in the headers (instead of the URL). If you have problems implementing that in straight PHP, perhaps cURL could be of some assistance. http://www.httprevealer.com/article_basic_authentication.htm - this outlines the header formats, etc... just remember--you will need to Base64 encode username:password for the Authorization header. HTH, // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication
On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda [EMAIL PROTECTED] wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda You're passing the username and password as part of a URL, so shouldn't the username and password be urlencoded? I'm thinking it will work if you replace the '#' sign with %23. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication [ SOLVED ]
On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard [EMAIL PROTECTED] wrote: On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda [EMAIL PROTECTED] wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda You're passing the username and password as part of a URL, so shouldn't the username and password be urlencoded? I'm thinking it will work if you replace the '#' sign with %23. Andrew I only tried thworing urlencode on everything, which obviously didn't work. Both ways worked, using %23 for '#' and the snippet from Nathan. Thanks a lot everyone, I was about to build all the headers and stuff :P Regards, -- Thiago Henrique Pojda
RE: [PHP] HTTP Authentication [ SOLVED ]
-Original Message- From: Thiago H. Pojda [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2008 11:47 AM To: Andrew Ballard Cc: PHP-General List Subject: Re: [PHP] HTTP Authentication [ SOLVED ] On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard [EMAIL PROTECTED] wrote: On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda [EMAIL PROTECTED] wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda You're passing the username and password as part of a URL, so shouldn't the username and password be urlencoded? I'm thinking it will work if you replace the '#' sign with %23. Andrew I only tried thworing urlencode on everything, which obviously didn't work. Both ways worked, using %23 for '#' and the snippet from Nathan. Thanks a lot everyone, I was about to build all the headers and stuff :P All the headers, meaning 2? :) Glad to hear you've solved your problem, anyway.. // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication [ SOLVED ]
On Wed, Nov 19, 2008 at 2:49 PM, Boyd, Todd M. [EMAIL PROTECTED] wrote: -Original Message- From: Thiago H. Pojda [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2008 11:47 AM To: Andrew Ballard Cc: PHP-General List Subject: Re: [PHP] HTTP Authentication [ SOLVED ] On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard [EMAIL PROTECTED] wrote: On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda [EMAIL PROTECTED] wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda You're passing the username and password as part of a URL, so shouldn't the username and password be urlencoded? I'm thinking it will work if you replace the '#' sign with %23. Andrew I only tried thworing urlencode on everything, which obviously didn't work. Both ways worked, using %23 for '#' and the snippet from Nathan. Thanks a lot everyone, I was about to build all the headers and stuff :P All the headers, meaning 2? :) Glad to hear you've solved your problem, anyway.. // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Haha, yes, 'all' those :) I thought there were many more, thankfully it only needed Basic and the other - which I forgot now. Thank you too :) -- Thiago Henrique Pojda
Re: [PHP] HTTP Authentication [ SOLVED ]
On Wed, Nov 19, 2008 at 12:47 PM, Thiago H. Pojda [EMAIL PROTECTED] wrote: On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard [EMAIL PROTECTED] wrote: On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda [EMAIL PROTECTED] wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda You're passing the username and password as part of a URL, so shouldn't the username and password be urlencoded? I'm thinking it will work if you replace the '#' sign with %23. Andrew I only tried thworing urlencode on everything, which obviously didn't work. Both ways worked, using %23 for '#' and the snippet from Nathan. Thanks a lot everyone, I was about to build all the headers and stuff :P Regards, -- Thiago Henrique Pojda Yes. If you go that route, you have to separately urlencode each piece of data rather than the whole URL because you don't want the valid delimiters like the colon, @ symbol, slashes, etc. to get encoded. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] http authentication with safe mode enabled?!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi to you all.
I've been pulling my hair out over this issue and I really hope YOU can
help me. A part of the website that I'm having the problems with should
be password protected (nothing much, just to have a slight notion of it
not being publicly available, so no SSL or other Stuff) so I wrote this
function based on an example from the php manual which does just that.
Problem is that on my ISPs server safe_mode is enabled and so as it says
in the manual:
| As of PHP 4.3.0, in order to prevent someone from writing a script
| which reveals the password for a page that was authenticated through
| a traditional external mechanism, the PHP_AUTH variables will not be
| set if external authentication is enabled for that particular page
| and safe mode is enabled. Regardless, REMOTE_USER can be used to
| identify the externally-authenticated user. So, you can use
| $_SERVER['REMOTE_USER'].
My code looks like this:
function auth($file) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
$http_401 = './auth/unauthorized.html';
$realm = 'Intern';
if (!isset($username) || !isset($password)) {
header(WWW-Authenticate: Basic realm=\$realm\);
header('HTTP/1.0 401 Unauthorized');
include $http_401;
} else {
if (($username != 'XXX') (crypt($password, 'XX')
!=
'X')) {
include $http_401;
} else {
include $file;
}
~ }
}
Now as you can see I'm also checking wether there was no password
entered in contrast to the example from the manual. Of course I could
leave that part out and set
$username = $_SERVER['REMOTE_USER'];
But how the hell am I supposed to check for a correct password if
$_SERVER['PHP_AUTH_PW'] is not set? If safe mode is disabled everything
works just fine (checked on my on box with apache 1.3), so in theory
it's working.
Please help me guys I'd be grateful for any help provided.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCPXCen0kyIx7rF68RAmq5AJsHC5HIm4lvnHp3gbOVVR0NcArTkwCgj7y5
8cU2qnxDeeWaDDIeFElroQk=
=F0Wq
-END PGP SIGNATURE-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication in include()
--- Matt Wondra [EMAIL PROTECTED] wrote:
I'm trying to include a file from an HTTP Authenticated server
in PHP. I have a valid username and password. Is there any way
to remotely login and include the file?
Ex:
include(https://www.url.com/incl1.php;);
When allow_url_fopen is enabled, you can include a remote URL, similar to
what you've shown. What PHP does for you is send an HTTP request to the
remote server, receive the response, and include the content just as if
you included a local file.
It is this request that PHP sends that needs to have the Authorization
header. To my knowledge, there is no way to add your own headers to this
request made on your behalf, although you could certainly hack PHP's
source to allow such a thing.
What you can do is write your own code to make a request. I'll give you a
quick example, but keep in mind that I'm just typing this out in an email,
and it is likely to contain bugs. :-)
--
$username = 'myuser';
$password = 'mypass';
$host = 'example.org';
$path = '/path/to/script.php';
$authorization = base64_encode($username:$password);
$http_response = '';
$fp = fsockopen($host, 80);
fputs($fp, GET $path HTTP/1.1\r\n);
fputs($fp, Host: $host\r\n);
fputs($fp, Authorization: $authorization\r\n);
fputs($fp, Connection: close\r\n\r\n);
fputs($fp, $data);
while (!feof($fp))
{
$http_response .= fgets($fp, 128);
}
fclose($fp);
--
Your example cites a URL with the https scheme. To speak SSL, this example
will of course require some enhancements, but hopefully this answers your
question.
Chris
=
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming Fall 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication in include()
Howdy. I'm trying to include a file from an HTTP Authenticated server in PHP. I have a valid username and password. Is there any way to remotely login and include the file? Ex: include(https://www.url.com/incl1.php;); // Trying to include from password-protected site How do I get past the 401 Authorization Required errors? Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication in include()
On Friday 03 September 2004 05:27, Matt Wondra wrote:
I'm trying to include a file from an HTTP Authenticated server in PHP. I
have a valid username and password. Is there any way to remotely login and
include the file?
Ex:
include(https://www.url.com/incl1.php;); // Trying to include from
password-protected site
include('https://user:[EMAIL PROTECTED]/incl1.php')
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
I am the wandering glitch -- catch me if you can.
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication take so long, why??
Hi! I am wondering why is the HTTP Authentication is taking so long to pop-up once the link/button is clicked. Like 2 minutes I'm using Apache and there is no PHP being used for HTTP Authentication stuffs as I thought it did. I thought one of you might know of this because of previous experience. The database is not hte issue here, the firewall is not the issue here and the webserver is at offsite. I think it is something with Apache or the SSL part.. This webpage is on the SSL part... --snip-- a href='db2admin/main_menu.php'Admin Login/a --snip-- The httpd.conf in Apache is ... --snip-- Directory /home/website/*/secure/db2admin Options FollowSymLinks ExecCGI DirectoryIndex main_menu.php AllowOverride All Order deny,allow AuthName -= DB2 Database Administration Realm =- AuthType Basic AuthUserFile /usr/local/apache/conf/db2_access require valid-user AuthGroupFile /dev/null /Directory --snip-- Thanks, FletchSOD -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP Authentication take so long, why??OT
[snip] I am wondering why is the HTTP Authentication is taking so long to pop-up once the link/button is clicked. Like 2 minutes I'm using Apache and there is no PHP being used for HTTP Authentication stuffs as I thought it did. I thought one of you might know of this because of previous experience. The database is not hte issue here, the firewall is not the issue here and the webserver is at offsite. I think it is something with Apache or the SSL part.. This webpage is on the SSL part... [/snip] Maybe an Apache list would help you much more quickly. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] http authentication through PHP
Scott Taylor wrote: What is the easiest way to access a page that is protected by HTTP basic authentication through PHP? In other words, I have a PHP page that will get the username and password off a database and will then login through HTTP authentication to access a second page (say an HTML page). I believe Snoopy can do this http://snoopy.sourceforge.net -- Burhan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] http authentication through PHP
What is the easiest way to access a page that is protected by HTTP basic authentication through PHP? In other words, I have a PHP page that will get the username and password off a database and will then login through HTTP authentication to access a second page (say an HTML page). Best regards, Scott Taylor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] http authentication through PHP
--- Scott Taylor [EMAIL PROTECTED] wrote: What is the easiest way to access a page that is protected by HTTP basic authentication through PHP? You should be able to indicate the username and password in the URL: http://username:[EMAIL PROTECTED]/path/to/script.php Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication thru PHP
hello all ,
I'm able to get successfully http authenticated from my php scripts
Ex :
$header = POST /myscript.php HTTP/1.0\r\nAuthorization: Basic ;
$header .= base64_encode($username:$password).\r\n;
$header .= Content-type: application/x-www-form-urlencoded\r\n;
$fp = fsockopen($IP, $PORT, $errno, $errstr);
if ($fp) { fputs($fp, $header . $request); while (!feof($fp)) {
$response .= fgets($fp, 128); } }
But the above is not working when the $username contains a trailing
semicolon
or when the $password is starting with a semicolon,
Ex: what if the $username =chandu:
Is there any solution for this ?
/Chandu
RE: [PHP] HTTP Authentication thru PHP
Hi, But the above is not working when the $username contains a trailing semicolon or when the $password is starting with a semicolon, Ex: what if the $username =chandu: Is there any solution for this ? You could use str_replace to strip those before they get used. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication thru PHP
I think I can remember semi-colon is not allowed in apache logins or
passwords...
Chandu Nannapaneni wrote:
hello all ,
I'm able to get successfully http authenticated from my php scripts
Ex :
$header = POST /myscript.php HTTP/1.0\r\nAuthorization: Basic ;
$header .= base64_encode($username:$password).\r\n;
$header .= Content-type: application/x-www-form-urlencoded\r\n;
$fp = fsockopen($IP, $PORT, $errno, $errstr);
if ($fp) { fputs($fp, $header . $request); while (!feof($fp)) {
$response .= fgets($fp, 128); } }
But the above is not working when the $username contains a trailing
semicolon
or when the $password is starting with a semicolon,
Ex: what if the $username =chandu:
Is there any solution for this ?
/Chandu
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP Authentication thru PHP
[snip] I think I can remember semi-colon is not allowed in apache logins or passwords... But the above is not working when the $username contains a trailing semicolon or when the $password is starting with a semicolon, Ex: what if the $username =chandu: [/snip] Or colons. It is a Bad Practice[tm] to use any special characters in user names and/or passwords. It is not universally allowed from OS to OS -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication thru PHP
Jay Blanchard wrote: Or colons. It is a Bad Practice[tm] to use any special characters in user names and/or passwords. It is not universally allowed from OS to OS I disagree with this : special characters are useful to have better passwords (more difficult to crack), but as apache stores the souples login:password_crypt, of course : is the only really forbidden character. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication does not work
I have tried using HTTP Authentication as described in the documentation. But it does not matter how many times i type in login/password, the popup keeps coming back. The server, mandrake 9.1, uses safe mode, so PHP_AUTH_USER and PHP_AUTH_PW does not work. $_SERVER['REMOTE_USER'] does not work either. Does anyone have any ideas? Peter Holmberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP-authentication
Hiya people,
I am building a admin page for a guestbook and i want more people to be
able to log in. I have made a table in the database called
user(gebruikers) wich keeps both a loginname(loginnaam) and password. I
have 2 users in this table right now. Now i ve a problem.. I can login
with the first person (myself), but i am unable to login with the second
user. Here is my code, i hope someone can help me..:)
?php
function authenticate()
{
Header( WWW-authenticate: basic realm=\Gastenboek admin
pagina\);
Header( HTTP/1.0 401 Unauthorized);
echo U moet een geldinge loginnaam en wachtwoord invoeren om
deze functie te kunnen gebruiken!\n;
exit;
}
function CheckPwd($user,$pass)
{
//Open database connectie
include(scripts/db_connect.php);
//Maak query
$sql_query = SELECT DISTINCT loginnaam, wachtwoord FROM
gebruikers WHERE loginnaam='$user';
//Verstuur query
$sql_id = mysql_query($sql_query, $link) or die(error in
query);
//Resultaat
$sql = mysql_fetch_assoc($sql_id);
$username = $sql['loginnaam'];
$password = $sql['wachtwoord'];
return ($user != $username || $pass != $password) ? false :
true;
//Sluit database connectie
mysql_free_result($sql_id);
mysql_close($link);
}
if(!isset($PHP_AUTH_USER))
{
authenticate();
}
elseif(!CheckPwd($PHP_AUTH_USER,$PHP_AUTH_PW))
{
authenticate();
}
?
Thanks already..
Best regards,
Davy Obdam,
mailto:[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP authentication - de authentication
How does one logout from such an authentication? I know that through a
HTTP status code, but how exactly? Everything I tried allows the browser
to view the page info after logout if the user hits the back button.
The only way I found it works if the user closes the browser window, but
I can't make sure they do, so *how do I make sure they do?*
Is there a script to better de-autheticate from such an authentication
method, or to make the browser close the window?
// ___ AUTHENTICATION SCRIPT _
$auth = false;
if (isset($PHP_AUTH_USER) isset($PHP_AUTH_PW)) {
// Connect to MySQL
mysql_connect( 'xxx', 'xxx', 'xxx' )
or die ( 'Unable to connect to server.' );
// Select database on MySQL server
mysql_select_db( 'xxx' )
or die ( 'Unable to select database.' );
// Formulate the query
$sql = SELECT * FROM xxx
WHERE user_id = '$PHP_AUTH_USER'
AND password = PASSWORD('$PHP_AUTH_PW');
// Execute the query and put results in $result
$result = mysql_query( $sql )
or die ( 'Unable to execute query.' );
// Get number of rows in $result.
$num = mysql_numrows( $result );
// A matching row was found - the user is authenticated.
if ( $num != 0 ) {
$auth = true;
// End do the check
}
//STOP AUTHETICATION SCRIPT EXAMPLE __
//_ LOGOUT SCRIP EXAMPLE
// the logout link would look like:
//a href=?php echo($PHP_SELF);??logout=1Logout/a
if (isset($logout)) {
header('status: 401 Unauthorized');
header('WWW-Authenticate: Basic realm=Private');
header('HTTP/1.0 403 Forbidden');
echo ('You have successfully logged out.');
?
script language=JavaScript type=text/JavaScript
!--
function MM_goToURL() { //v3.0
var i, args=MM_goToURL.arguments; document.MM_returnValue = false;
for (i=0; i(args.length-1); i+=2)
eval(args[i]+.location='+args[i+1]+');
}
//--
/script
?php
exit();
}
- Vic
__
Post your ad for free now! http://personals.yahoo.ca
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP authentication - de authentication
From: vic [EMAIL PROTECTED] Sent: Saturday, August 10, 2002 11:24 AM Subject: [PHP] HTTP authentication - de authentication How does one logout from such an authentication? There's no way to logout. Use a session based authentication. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP authentication
Hi,
I am reading HTTP authentication in php manual. It
does not explain it from the basics of it. Can anyone
tell me what exactly will the output of the following
code? I thought it will ask some user name and
password thing but it just displays me the string
text to send if user hits cancel.
This is the code
?php
header(WWW-Authenticate: Basic realm=\My
Realm\);
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header(WWW-Authenticate: Basic realm=\My
Realm\);
header(HTTP/1.0 401 Unauthorized);
echo Text to send if user hits Cancel button\n;
exit;
} else {
echo pHello {$_SERVER['PHP_AUTH_USER']}./p;
echo pYou entered {$_SERVER['PHP_AUTH_PW']} as
your password./p;
}
?
__
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP authentication
From: Varsha Agarwal [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 10, 2002 4:30 PM
I thought it will ask some user name and
password thing but it just displays me the string
text to send if user hits cancel.
This is the code:
?php
header(WWW-Authenticate: Basic realm=\My Realm\);
^^
Get rid of the above statement
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header(WWW-Authenticate: Basic realm=\My
Realm\);
header(HTTP/1.0 401 Unauthorized);
echo Text to send if user hits Cancel button\n;
exit;
} else {
echo pHello {$_SERVER['PHP_AUTH_USER']}./p;
echo pYou entered {$_SERVER['PHP_AUTH_PW']} as
your password./p;
}
?
?php
header(WWW-Authenticate: Basic realm=\My Realm\);
header(HTTP/1.0 401 Unauthorized);
?
The above two statements will cause the browser to pop up the login window and pass
any input (including none) back to the page. Any user input will be in the two
$_SERVER vars. Typically you'd validate this with a db or something, and allow access
if the user id and password validate. HTTP Auth in HTTP/1.0 isn't secure as the
credentials are sent clear text to the server on every GET request, so on a page with
images and such it's sent several times. Also, there's no way to sign out other then
closing all of the browser windows. It's better to design a session based solution,
with a login page, and set a session variable(s) indicating the authorized so the user
id/password are only sent once, and you can control session timeout to require
re-logging in after some interval of inactivity. You'd also have to consider session
hijacking, which is covered in the archives.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP authentication
Hi,
Thanks for the explaination. But that code does not
pop up any login window. Do I need to do any settings
for that??
--- Matt Schroebel [EMAIL PROTECTED] wrote:
From: Varsha Agarwal
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 10, 2002 4:30 PM
I thought it will ask some user name and
password thing but it just displays me the string
text to send if user hits cancel.
This is the code:
?php
header(WWW-Authenticate: Basic realm=\My
Realm\);
^^
Get rid of the above statement
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header(WWW-Authenticate: Basic realm=\My
Realm\);
header(HTTP/1.0 401 Unauthorized);
echo Text to send if user hits Cancel
button\n;
exit;
} else {
echo pHello
{$_SERVER['PHP_AUTH_USER']}./p;
echo pYou entered {$_SERVER['PHP_AUTH_PW']}
as
your password./p;
}
?
?php
header(WWW-Authenticate: Basic realm=\My
Realm\);
header(HTTP/1.0 401 Unauthorized);
?
The above two statements will cause the browser to
pop up the login window and pass any input
(including none) back to the page. Any user input
will be in the two $_SERVER vars. Typically you'd
validate this with a db or something, and allow
access if the user id and password validate. HTTP
Auth in HTTP/1.0 isn't secure as the credentials are
sent clear text to the server on every GET request,
so on a page with images and such it's sent several
times. Also, there's no way to sign out other then
closing all of the browser windows. It's better to
design a session based solution, with a login page,
and set a session variable(s) indicating the
authorized so the user id/password are only sent
once, and you can control session timeout to require
re-logging in after some interval of inactivity.
You'd also have to consider session hijacking, which
is covered in the archives.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP AUTHENTICATION Solution
Here is a solution I developed for the HTTP AUTHENTICATION on that buggy
Internet Explorer.
I want some feedbacks, improvements, Comments...
Bharath
(B. h. Loh.)
bharath_b_lohray (at) yahoo.com
Please correspond via email for my convinience and
also on the News Group for the benifit of the Php Developers...
=== START OF SOURCE CODE [lohauthsol.php]===
?php
//Username and password verification function
//takes (username,password) returns TRUE/FALSE
function verify($un,$pw)
{
//Verify against a database etc
if
((($un==bharath)($pw==password1))||(($un==tom_dick_harrypotter)($p
w==password2)))
{
$ok=TRUE;
}
else
{
$ok=FALSE;
}
return $ok;
}
//Procedure to display a standard error if login
//fails
function er($err)
{
echo htmlheadtitle$err/title/headbody bgcolor=\#FF\
text=\#00\pfont face=\Courier New, Courier, Terminal\
size=\3\font size=\5\$err/fontbrbrCould not log you in. a
href=\lohauthsol.php\TRY AGAIN/a/font/p/body/html;
}
//Procedure to ask username and password by
//HTTP AUTHENTICATION
function ask()
{
header(WWW-Authenticate: Basic realm=\1024x1024.net
Administration\);
header(HTTP/1.0 401);
er(Unauthorized);
exit;
}
//BEGIN MAIN PROGRAMME
if ((!isset($PHP_AUTH_USER))||(!verify($PHP_AUTH_USER,$PHP_AUTH_PW)))
{
ask();
}
else
{
echo OK;
exit;
}
?
=== END OF SOURCE CODE ===
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication problems
Hello, I'm working on a website for what will eventually be free PHP/MySQL/Apache/DNS/etc hosting (see: http://hosting.venura.net , no requests for accounts will be entertained right now), and am having problems trying to get HTTP Authentication working. I had it working a month or so ago, but then I put the project on hold for awhile and came back to a mess that wasn't -- don't know how unless I somehow broke it just before I quit working on it. Anyways, I'm running PHP 4.1.0 (had same problems with 4.0.6 earlier so I know it's not some weird bug with the new version), Apache 1.3.22+mod_ssl and Linux 2.4. I'm working (for now) with a small test script containing this (and running on SSL, which I had no problems with earlier.) --- ?php header(HTTP/1.0 401 Unauthorized); header(WWW-Authenticate: Basic realm=\hosting.venura.net Member Services U: . $PHP_AUTH_USER . , P: . $PHP_AUTH_PW . \ ); ? html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en head title[secure]venura.net :: Unauthorized/title /head body ?php phpinfo(); ? /body /html --- The idea being that I can see the username/password entered in the authentication box itself. Anyways, though the 401 part works and actually brings up the typical Enter Username/Password box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set. Neither is $REMOTE_USER. There are no .htaccess files in the directory (or any parent dirs for that matter), and no AuthType directives all in my httpd.conf file. I have been unsuccessful in determining what is wrong, and am flat out of ideas. My php.ini and httpd.conf files are available at http://hosting.venura.net/fixme/ Any ideas? -- Daniel Grace -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication
the HTTP authentication of using a form uses Sessions! Check out the following URL: http://www.devshed.com/Server_Side/PHP/Commerce2/ I followed the above URL to create a user authentication page using Sessions. Peter On Mon, 22 Oct 2001, [ISO-8859-1] Stig-Ørjan Smelror wrote: Wilbert Enserink wrote: Hi all, is it possible to do a HTTP Authentication with my own loginform instead of using the ugly pop up window? regards, Wilbert With a lot of thought, yes. You need to consider a few factors before you start. Security: Checking the IP address of the user. Performance: to DB or not to DB, that is the question! Security again: what kind of password algoritm are you going to use. And so on and so forth. I wish you the best of luck. I made such a script just a month ago :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication
Wilbert Enserink wrote: Hi all, is it possible to do a HTTP Authentication with my own loginform instead of using the ugly pop up window? regards, Wilbert With a lot of thought, yes. You need to consider a few factors before you start. Security: Checking the IP address of the user. Performance: to DB or not to DB, that is the question! Security again: what kind of password algoritm are you going to use. And so on and so forth. I wish you the best of luck. I made such a script just a month ago :) -- Stig-Ørjan Smelror Systemutvikler Linux Communications AS Sandakerveien 48b Box 1801 - Vika N-0123 Oslo, Norway tel. +47 22 09 28 80 fax. +47 22 09 28 81 http://www.lincom.no/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication / Logging Out
how secure is either method? the form method would be more secure if it was done over https correct? tonyz Martín marqués wrote: On Lun 01 Oct 2001 19:36, you wrote: I used a pretty basic system to check HTTP authentication values against database values, but I can't seem to find a way to allow the user to log out. I tried: unset($PHP_AUTH_USER) but Internet Explorer hangs on to that value until all browser windows are closed. Is there any way around that? I (as lot of GPL projects) have droped HTTP authentification, and use there own authentification. Put a form with login and password, and save whatever you like in a session, and thats it. Saludos... ;-) P.D.: Netscape also hangs with the variable PHP_AUTH_USER. -- Porqué usar una base de datos relacional cualquiera, si podés usar PostgreSQL? - Martín Marqués |[EMAIL PROTECTED] Programador, Administrador, DBA | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication / Logging Out
I used a pretty basic system to check HTTP authentication values against database values, but I can't seem to find a way to allow the user to log out. I tried: unset($PHP_AUTH_USER) but Internet Explorer hangs on to that value until all browser windows are closed. Is there any way around that? Thanks, Eric J Schwinder eric.AT.bergencomputing.DOT.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication / Logging Out
$PHP_AUTH_USER is filled in based on the value coming from the browser. unsetting it in PHP makes no sense as the browser is simply going to set it again on the next request. There is no way to clear this from the client-side short of changing the realm or denying the authentication with a 403. -Rasmus On Mon, 1 Oct 2001, Eric J Schwinder wrote: I used a pretty basic system to check HTTP authentication values against database values, but I can't seem to find a way to allow the user to log out. I tried: unset($PHP_AUTH_USER) but Internet Explorer hangs on to that value until all browser windows are closed. Is there any way around that? Thanks, Eric J Schwinder eric.AT.bergencomputing.DOT.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] http authentication and php
if you just want to output the file to the user, readfile(http://server.com/greendocks/locked/useradd.htm?user=blahpass=blah;); should work. If you want to play with the file first, file() will put it in an array, fopen() will create a file pointer to it, you could create your very own HTTP session (if you know the protocol) with fsockopen()... i'm sure there are more, but that's all you need (probably). I would probably use this: $file=implode(\n,file(http://server.com/greendocks/locked/useradd.htm?user=blahpass=blah;)); if i wanted to place the whole thing in one variable, not an array. On Saturday 22 September 2001 20:39, you wrote: I am trying to write a php script that will work around a http authentication that I do have access to. I am trying to do this so that a form process in my control panel can automatically have information sent to it from a form that a user will fill out. However, my problem is in trying to get PHP to automatically authenticate. for example: I want to be able to call a url like this: http://server.com/greendocks/locked/useradd.htm?user=blahpass=blahbut this url is behind a http authentication. Is it possible to have this url called by a php script? And the second part of the question is can I do this process so it is completely invisible to the user that this page has been called? Because of course I don't want to allow users to have access to everything in my control panel. Hopefully someone knows what I'm getting at. Thanks for any help you may be able to provide. Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] http authentication and php
Well the actual problem is that this file is behind a http authenticated directory. I actually don't want the users to know the login and password for it since it is the login for my control panel for my website. However, I do want to be able to execute a url, this is to allow users to create their own email addresses with pop access without requesting them from me all the time. I am just not sure if I can push the login and password for the authentication window that would normally pop up, so the file is executed behind the scenes, and the user would merely see a output of their username and password and information on how to login to their account which would be output as long as the file was able to be executed. Any ideas? Evan Nemerson [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... if you just want to output the file to the user, readfile(http://server.com/greendocks/locked/useradd.htm?user=blahpass=bla h); should work. If you want to play with the file first, file() will put it in an array, fopen() will create a file pointer to it, you could create your very own HTTP session (if you know the protocol) with fsockopen()... i'm sure there are more, but that's all you need (probably). I would probably use this: $file=implode(\n,file(http://server.com/greendocks/locked/useradd.htm?use r=blahpass=blah)); if i wanted to place the whole thing in one variable, not an array. On Saturday 22 September 2001 20:39, you wrote: I am trying to write a php script that will work around a http authentication that I do have access to. I am trying to do this so that a form process in my control panel can automatically have information sent to it from a form that a user will fill out. However, my problem is in trying to get PHP to automatically authenticate. for example: I want to be able to call a url like this: http://server.com/greendocks/locked/useradd.htm?user=blahpass=blah but this url is behind a http authentication. Is it possible to have this url called by a php script? And the second part of the question is can I do this process so it is completely invisible to the user that this page has been called? Because of course I don't want to allow users to have access to everything in my control panel. Hopefully someone knows what I'm getting at. Thanks for any help you may be able to provide. Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] http authentication and php
On 23-Sep-2001 Jeff Bristow wrote:
I am trying to write a php script that will work around a http
authentication that I do have access to. I am trying to do this so that a
form process in my control panel can automatically have information sent to
it from a form that a user will fill out. However, my problem is in trying
to get PHP to automatically authenticate.
for example: I want to be able to call a url like this:
http://server.com/greendocks/locked/useradd.htm?user=blahpass=blahbut
this url is behind a http authentication. Is it possible to have this url
called by a php script?
And the second part of the question is can I do this process so it is
completely invisible to the user that this page has been called? Because of
course I don't want to allow users to have access to everything in my
control panel.
$host='server.com';
$url='/greendocks/locked/useradd.htm?user=blahpass=blah';
$authuser='foo'; // blah ?
$authpass='baz'; // blah ?
$authenc=base64_encode($authuser:$authpass);
$hdr =sprintf(GET %s HTTP/1.0\r\n, $url);
$hdr .=Accept: text/html\r\nAccept: text/plain\r\n;
$hdr .=User-Agent: Mozilla/1.0 (PHP spoof)\r\n;
$hdr .=Authorization: Basic $authenc\r\n\r\n;
$fp = fsockopen($host , 80, $errno, $errstr, 30);
if (!$fp) {
die $host open error: $errstr $errno .\n;
}
fputs($fp,$hdr);
while(!feof($fp)) {
$buff=fgets($fp,1024);
... do yer thang
}
fclose($fp);
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] http authentication and php
I am trying to write a php script that will work around a http authentication that I do have access to. I am trying to do this so that a form process in my control panel can automatically have information sent to it from a form that a user will fill out. However, my problem is in trying to get PHP to automatically authenticate. for example: I want to be able to call a url like this: http://server.com/greendocks/locked/useradd.htm?user=blahpass=blahbut this url is behind a http authentication. Is it possible to have this url called by a php script? And the second part of the question is can I do this process so it is completely invisible to the user that this page has been called? Because of course I don't want to allow users to have access to everything in my control panel. Hopefully someone knows what I'm getting at. Thanks for any help you may be able to provide. Jeff
[PHP] HTTP authentication
Is there a way to force re-authentication without closing and re-opening the browser. Thanks Boris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication
Won't sending a 401 header do the trick? ?php header(WWW-Authenticate: Basic realm='my realm'); header(HTTP/1.0 401 Unauthorized); ? Not sure, but worth a try. Cheers Jon -Original Message- From: Boris [mailto:[EMAIL PROTECTED]] Sent: 31 August 2001 13:08 To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication Is there a way to force re-authentication without closing and re-opening the browser. Thanks Boris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication
Hi, I am using PHP to send a header to the browser requestiing authentication. On a successful login i am tracking inactivity by the client and want to expire the login once a timeout period is reached. Problem is if the session expires and the user just refreshes then the orignal login details are passed to the script. How do I get the client to forget the previous login details? Regards Jon -- Jon Farmer Systems Programmer, Entanet www.enta.net Tel 01952 428969 Mob 07968 524175 PGP Key available, send blank email to [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication and PHP
Hi all,
I've been playing around with PHP authentication via HTTP.
I'm using apache, and when i use the header('WWW_Auth...)
headers i get a username/password dialog pop up (as i wanted).
How do i get those values unset in the browser, so that i can get a user
to re authenticate ?
I need to get a user to re-auth part way through the use of the app i'm
writing becasue they are deleting files from a file system.
Also how would i allow them to logout and let someone else log in.
The docs seemed to imply that the headers command should have repopped the
auth box.
Jason
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP-Authentication
Hei! I have a script, where people can log-in to administrate a site, but once they are logged in, what do i have to do to log them out again? I thought to write a logout-script which deletes the $HTTP_AUTH_USER variable, but it doesn't work. It seems that the user-data remains in memory until the browser is restarted. Please Help! Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication logout
I am using HTTP authentication to restrict access to certain pages and I want to add a
logout option so that users must reauthenticate before being able to veiw the pages
again.
Here is the code I'm using to authenticate:
?
/* Test for username/password */
if(($PHP_AUTH_USER == $username) ($PHP_AUTH_PW == $password)){
startAdminPage();
endPage();
}
else{
/* Send headers to cause a browser to request username and password */
header(WWW-Authenticate: Basic realm=\Administrative Area\);
header(HTTP/1.0 401 Unauthorized);
/* Show failure text */
startPage();
print(PThis page requires a user name and password to view.P);
endPage();
}
?
For the logout option I tried just setting $PHP_AUTH_USER= and $PHP_AUTH_PW= but
that didn't work. Any ideas on how I can do this?
---
: David A. Dickson
: [EMAIL PROTECTED]
Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication with PHP
I have configured mod_auth_pam for Apache and secured a directory with an .htaccess file: AuthType Basic AuthName Secure Area require group staff require user chris Now, I would like to control the local browser window's authentication cache via PHP. For example, how do I clear the cache of a browser window thereby forcing the user to log back in? I have tried: Header( WWW-authenticate: basic realm=Secure Area); Header( HTTP/1.0 401 Unauthorized); but this isn't clearing the cache. Regards, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication with PHP
this seems to make my browsers not cache. header(Expires: Mon, 26 Jul 1997 05:00:00 GMT); header(Last-Modified: . gmdate(D, d M Y H:i:s) . GMT); header(Cache-Control: no-cache, must-revalidate); header(Pragma: no-cache); then add header(WWW-Authenticate: Basic realm='$SERVER_NAME' ); header(HTTP/1.0 401 Unauthorized); to pop up a login box. -- Chris Lee [EMAIL PROTECTED] Chris [EMAIL PROTECTED] wrote in message 9e06jc$jel$[EMAIL PROTECTED]">news:9e06jc$jel$[EMAIL PROTECTED]... I have configured mod_auth_pam for Apache and secured a directory with an .htaccess file: AuthType Basic AuthName Secure Area require group staff require user chris Now, I would like to control the local browser window's authentication cache via PHP. For example, how do I clear the cache of a browser window thereby forcing the user to log back in? I have tried: Header( WWW-authenticate: basic realm=Secure Area); Header( HTTP/1.0 401 Unauthorized); but this isn't clearing the cache. Regards, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 07-May-01 Mauricio Souza Lima wrote:
snip
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
create a tmp directory
logoff.php3:
require('secure.php3');
authuser(Logoff); // validate user (possible Dos attack here)
$fname=tmp/$PHP_AUTH_USER;
touch($fname);
Header(Location: http://www.mydomain.com/index.html;);
-
secure.php3:
function checklogin($user,$pass='',$realm='') {
if (! dbInit()) {
echo \n\nBODYCENTER;
die(PH2Unable to contact database server/H2);
}
$fname=tmp/$user;
if (file_exists($fname)) {
unlink($fname);
return(false);
}
$query=select login from users
where login='$user' and password=PASSWORD('$pass');
// echo $query .'BR';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
function authheader($realm) {
Header('WWW-authenticate: basic realm='.$realm .'');
Header('HTTP/1.0 401 Unauthorized');
echo \n\n;
}
function authuser($realm='Access') {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
if (! (isset($PHP_AUTH_USER)) ) {
authheader($realm);
exit;
}
if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) {
authheader($realm);
echo 'CENTERFailed Login';
exit;
}
}
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Cool, you have found another way!
So the realm make diference? A user loged in a realm isn't the same in
other realm? Very cool...
Explain better your solution to us.
Regards,
Don Read wrote:
On 07-May-01 Mauricio Souza Lima wrote:
snip
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
create a tmp directory
logoff.php3:
require('secure.php3');
authuser(Logoff); // validate user (possible Dos attack here)
$fname=tmp/$PHP_AUTH_USER;
touch($fname);
Header(Location: http://www.mydomain.com/index.html;);
-
secure.php3:
function checklogin($user,$pass='',$realm='') {
if (! dbInit()) {
echo \n\nBODYCENTER;
die(PH2Unable to contact database server/H2);
}
$fname=tmp/$user;
if (file_exists($fname)) {
unlink($fname);
return(false);
}
$query=select login from users
where login='$user' and password=PASSWORD('$pass');
// echo $query .'BR';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
function authheader($realm) {
Header('WWW-authenticate: basic realm='.$realm .'');
Header('HTTP/1.0 401 Unauthorized');
echo \n\n;
}
function authuser($realm='Access') {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
if (! (isset($PHP_AUTH_USER)) ) {
authheader($realm);
exit;
}
if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) {
authheader($realm);
echo 'CENTERFailed Login';
exit;
}
}
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
Mauricio Souza Lima
Programador - Catho ONLINE
[EMAIL PROTECTED] www.catho.com.br
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 08-May-01 Mauricio Souza Lima wrote:
Cool, you have found another way!
So the realm make diference? A user loged in a realm isn't the same in
other realm? Very cool...
Not quite, the realm is a string to present to the login dialog box
it has no effect on the credentials in this example.
But you could code such a thing.
Explain better your solution to us.
'Kay
logoff.php3:
$fname=tmp/$PHP_AUTH_USER;
touch($fname);
create a lockfile tmp/loginname
Header(Location: http://www.mydomain.com/index.html;);
send them to a non-protected page.
secure.php3:
function checklogin($user,$pass='',$realm='') {
here $realm is some unused glue for orthagonal function() calls
$fname=tmp/$user;
if (file_exists($fname)) {
check if tmp/loginname exists
unlink($fname); // delete it
return(false);
}
if we got this far, they either
1. didn't hit logoff
2. they did and already got the 401-(Re)Authenticate
$query=select login from users
where login='$user' and password=PASSWORD('$pass');
// echo $query .'BR';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
Basically it's a spin-lock file that is checked on login ... could just as
easily be done as a shared semaphore, DB entry, whatever.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I must support this fashion of login and logout. I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication : logout!!!
i'm using http authentication for my php pages
(members area). Once you login correctly, than you can
access anypage as the authentication box doesn't
pop-up.
Now i woul like to create a logout link after clicking
on which, whenever you click on a page using auth, the
auth box should pop-up again and you must feed in your
user/pass. What should this logout page contain? what
coding do i have to do?
From what i understand, there is a $auth which is
False by default. When auth is succesfull, it
contains True. And once it's true, the auth box
doesn't pop-up. I understand that probably clicking on
this logout link should again make $auth false. But
then $auth is on a lot of pages, how does this $auth
on logout.php3 make all the other $auth's false?
or is there some other way?
the code i'm using for auth is :
***
?php
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) {
mysql_connect('localhost','root') or die (
'Unable to connect to server.' );
mysql_select_db( 'skynet' ) or die ( 'Unable
to select database.' );
// Formulate the query
$sql = SELECT * FROM register WHERE
username = '$PHP_AUTH_USER' AND
password = '$PHP_AUTH_PW';
// Execute the query and put results in $result
$result = mysql_query( $sql ) or die ( 'Unable to
execute query.' );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 ) {
// A matching row was found - the user is
authenticated.
$auth = true;
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=Private'
);
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
%%stuff 2 do%%
}
?
***
Regards,
T. Edison jr.
=
Rahul S. Johari (Director)
**
Abraxas Technologies Inc.
Homepage : http://www.abraxastech.com
Email : [EMAIL PROTECTED]
Tel : 91-4546512/4522124
***
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Never tried it though...but can you try to empty or unset the
$PHP_AUTH_USER/PWD ?
-elias
http://www.eassoft.cjb.net
Thomas Edison Jr. [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
i'm using http authentication for my php pages
(members area). Once you login correctly, than you can
access anypage as the authentication box doesn't
pop-up.
Now i woul like to create a logout link after clicking
on which, whenever you click on a page using auth, the
auth box should pop-up again and you must feed in your
user/pass. What should this logout page contain? what
coding do i have to do?
From what i understand, there is a $auth which is
False by default. When auth is succesfull, it
contains True. And once it's true, the auth box
doesn't pop-up. I understand that probably clicking on
this logout link should again make $auth false. But
then $auth is on a lot of pages, how does this $auth
on logout.php3 make all the other $auth's false?
or is there some other way?
the code i'm using for auth is :
***
?php
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) {
mysql_connect('localhost','root') or die (
'Unable to connect to server.' );
mysql_select_db( 'skynet' ) or die ( 'Unable
to select database.' );
// Formulate the query
$sql = SELECT * FROM register WHERE
username = '$PHP_AUTH_USER' AND
password = '$PHP_AUTH_PW';
// Execute the query and put results in $result
$result = mysql_query( $sql ) or die ( 'Unable to
execute query.' );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 ) {
// A matching row was found - the user is
authenticated.
$auth = true;
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=Private'
);
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
%%stuff 2 do%%
}
?
***
Regards,
T. Edison jr.
=
Rahul S. Johari (Director)
**
Abraxas Technologies Inc.
Homepage : http://www.abraxastech.com
Email : [EMAIL PROTECTED]
Tel : 91-4546512/4522124
***
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
It dont work, what you have to do is that:
In the logout.php:
--
?
header( 'WWW-Authenticate: Basic realm=Private');
header( 'HTTP/1.0 401 Unauthorized' );
?
htmlbody
Logout Sucessful
/body/html
--
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
elias wrote:
Never tried it though...but can you try to empty or unset the
$PHP_AUTH_USER/PWD ?
-elias
http://www.eassoft.cjb.net
Thomas Edison Jr. [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
i'm using http authentication for my php pages
(members area). Once you login correctly, than you can
access anypage as the authentication box doesn't
pop-up.
Now i woul like to create a logout link after clicking
on which, whenever you click on a page using auth, the
auth box should pop-up again and you must feed in your
user/pass. What should this logout page contain? what
coding do i have to do?
From what i understand, there is a $auth which is
False by default. When auth is succesfull, it
contains True. And once it's true, the auth box
doesn't pop-up. I understand that probably clicking on
this logout link should again make $auth false. But
then $auth is on a lot of pages, how does this $auth
on logout.php3 make all the other $auth's false?
or is there some other way?
the code i'm using for auth is :
***
?php
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) {
mysql_connect('localhost','root') or die (
'Unable to connect to server.' );
mysql_select_db( 'skynet' ) or die ( 'Unable
to select database.' );
// Formulate the query
$sql = SELECT * FROM register WHERE
username = '$PHP_AUTH_USER' AND
password = '$PHP_AUTH_PW';
// Execute the query and put results in $result
$result = mysql_query( $sql ) or die ( 'Unable to
execute query.' );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 ) {
// A matching row was found - the user is
authenticated.
$auth = true;
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=Private'
);
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
%%stuff 2 do%%
}
?
***
Regards,
T. Edison jr.
=
Rahul S. Johari (Director)
**
Abraxas Technologies Inc.
Homepage : http://www.abraxastech.com
Email : [EMAIL PROTECTED]
Tel : 91-4546512/4522124
***
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--
Mauricio Souza Lima
Programador - Catho ONLINE
[EMAIL PROTECTED] www.catho.com.br
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
$PHP_AUTH_USER = ; $PHP_AUTH_PW = ; Ought to do it. From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 8:39 AM To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication : logout!!! Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I to have never been happy with the way PHP handles actual secure sessions. GameDesign was written to entirely use session based access. Both the main user site, and the admin backend use it, and it works quite well. - John Vanderbeck - Admin, GameDesign (http://gamedesign.incagold.com/) - GameDesign, the industry source for game design and development issues -Original Message- From: Robert Covell [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 9:14 AM To: Martín Marqués; elias Cc: [EMAIL PROTECTED] Subject: RE: [PHP] HTTP authentication : logout!!! I must support this fashion of login and logout. I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication for username password
How can I use the HTTP authentication which pops up that little box in the screen asking for username password for giving access to a page in PHP? regards, T.Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication for username password
Superb tutorial on Zend: http://www.zend.com/zend/tut/authentication.php HTH Jon -Original Message- From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] Sent: 26 April 2001 13:03 To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication for username password How can I use the HTTP authentication which pops up that little box in the screen asking for username password for giving access to a page in PHP? ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication
On Wed, Feb 14, 2001 at 11:07:46PM -0800, Thomas Edison Jr. wrote:
The code I'm entering is:
?php
if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"My Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel button\n";
exit;
} else {
echo "Hello $PHP_AUTH_USER.P";
echo "You entered $PHP_AUTH_PW as your password.P";
}
?
I'm not sure what is wrong. I copied and pasted this onto my system and
it works just fine.
--
Jason Stechschulte
[EMAIL PROTECTED]
--
Soitainly. I was assuming that came with the OO-ness of it.
-- Larry Wall in [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication
I'm sure this wont' help, but just in case you may have missed the obvious
(it happens sometimesg)..Make sure you PHP script has the extension .PHP
.. The server won't recognize it as a PHP file otherwise, and it won't know
what to do with it. Also this extension has to be registred properly on the
server, but that is beyond me.
- John Vanderbeck
- Admin, GameDesign
- Original Message -
From: "Thomas Edison Jr." [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 15, 2001 2:07 AM
Subject: [PHP] HTTP authentication
I was browsing thru the http authentication method
given thru the header() function in the manual. I
tried it out but it's not giving me the pop-up window
asking me the username and password and is only
writing the text given in the code on the page.
I'm using win98 and otherwise use sun solaris. Does
this function work on these two OS?
I have to write a code that checks each time a user
enters a page, his previously entered user/pwd so as
to prevent anyone from entering the page if he knows
and writes the page's URL in the address bar. I've
used the same authentication method in ASP before for
the same. Can I use it in my OS using PHP?
The code I'm entering is:
?php
if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"My Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel button\n";
exit;
} else {
echo "Hello $PHP_AUTH_USER.P";
echo "You entered $PHP_AUTH_PW as your password.P";
}
?
Regards,
T.Edison jr.
=
Rahul S. Johari (Director)
**
Abraxas Technologies Inc.
Homepage : http://www.abraxastech.com
Email : [EMAIL PROTECTED]
Tel : 91-4546512/4522124
***
__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication not getting unset
Hey all, New problem. I really hope there's something simple to do to fix it. Check out this scenario and tell me if there's a step that I'm missing. Inside my common footer on my site the very first call is to an include called UserAuth.inc.php. UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL is protected or not. If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is then it runs through the usual HTTP Authentication. If it fails it goes to a failure page, if it succeeds then it logs the user in. Now I can surf around on the site and that same authentication will continue to be used for the rest of the site where ever another protected directory or file is found (as to be expected). Now to logout I have a page called logout.php. If you go to this page (which also includes the same footer) there is another action that takes place. If the $REQUEST_URI contains logout.php then I print the same "401" header that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and $AUTH_USER. $AUTH_USER is the user authentication object in my class file UserAuth.class.php. I'm just unsetting this so that no code will still have record of the old authentication object to do anything with. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. If you've got any ideas, suggestions, guesses or references, please reply. I've run out of ideas. I can also provide the code that I'm using if you think it might just be a problem with my logic. I don't think this is the case as I shouldn't be able to read any variable that has been unset, but like I said, I'm running out of ideas. System: RedHat 6.1-6 i686 Kernel 2.2.13 Server: Apache 1.3.12 PHP: 4.0.3pl1 Thanks, Toby
Re: [PHP] HTTP Authentication not getting unset
Sorry, I meant common header, not footer. Inside my common "header" on my site .. (which also includes the same "header") ... - Original Message - From: "Toby Miller" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 14, 2001 10:37 AM Subject: [PHP] HTTP Authentication not getting unset Hey all, New problem. I really hope there's something simple to do to fix it. Check out this scenario and tell me if there's a step that I'm missing. Inside my common footer on my site the very first call is to an include called UserAuth.inc.php. UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL is protected or not. If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is then it runs through the usual HTTP Authentication. If it fails it goes to a failure page, if it succeeds then it logs the user in. Now I can surf around on the site and that same authentication will continue to be used for the rest of the site where ever another protected directory or file is found (as to be expected). Now to logout I have a page called logout.php. If you go to this page (which also includes the same footer) there is another action that takes place. If the $REQUEST_URI contains logout.php then I print the same "401" header that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and $AUTH_USER. $AUTH_USER is the user authentication object in my class file UserAuth.class.php. I'm just unsetting this so that no code will still have record of the old authentication object to do anything with. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. If you've got any ideas, suggestions, guesses or references, please reply. I've run out of ideas. I can also provide the code that I'm using if you think it might just be a problem with my logic. I don't think this is the case as I shouldn't be able to read any variable that has been unset, but like I said, I'm running out of ideas. System: RedHat 6.1-6 i686 Kernel 2.2.13 Server: Apache 1.3.12 PHP: 4.0.3pl1 Thanks, Toby -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
Ive found the same thing and currently do not have a workaround, it seems that browsers cache this. one method Ive thought of and never tested is to set a session variable, cross reference that SessionID, PHP_AUTH_PW, PHP_AUTH_USER are all valid, if not then your not loged in correctly. to log out just unset SessionID. any future pages will not load. even if the PW/USER are valid the Session wouldnt. If the browser has cookies disabled, you have compiled php with --trans-sid, and the user uses the back button the user would still be able to view cached pages. you might want to put some fancy no-cache headers in there somewhere and hope the browser supports them. you might even want to impliment a time based system, set the SessionID = time() on every header; but first check if the current SessionID 30min old then invalid login vs updateing SessionID to equal current time() This would prevent anyone from viewing cached pages more then 30min old and force them to re-login -- Chris Lee Mediawaveonline.com em. [EMAIL PROTECTED] ph. 250.377.1095 ph. 250.376.2690 fx. 250.554.1120 ""Toby Miller"" [EMAIL PROTECTED] wrote in message 006901c0969f$cfcf2700$[EMAIL PROTECTED]">news:006901c0969f$cfcf2700$[EMAIL PROTECTED]... Sorry, I meant common header, not footer. Inside my common "header" on my site .. (which also includes the same "header") ... - Original Message - From: "Toby Miller" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 14, 2001 10:37 AM Subject: [PHP] HTTP Authentication not getting unset Hey all, New problem. I really hope there's something simple to do to fix it. Check out this scenario and tell me if there's a step that I'm missing. Inside my common footer on my site the very first call is to an include called UserAuth.inc.php. UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL is protected or not. If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is then it runs through the usual HTTP Authentication. If it fails it goes to a failure page, if it succeeds then it logs the user in. Now I can surf around on the site and that same authentication will continue to be used for the rest of the site where ever another protected directory or file is found (as to be expected). Now to logout I have a page called logout.php. If you go to this page (which also includes the same footer) there is another action that takes place. If the $REQUEST_URI contains logout.php then I print the same "401" header that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and $AUTH_USER. $AUTH_USER is the user authentication object in my class file UserAuth.class.php. I'm just unsetting this so that no code will still have record of the old authentication object to do anything with. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. If you've got any ideas, suggestions, guesses or references, please reply. I've run out of ideas. I can also provide the code that I'm using if you think it might just be a problem with my logic. I don't think this is the case as I shouldn't be able to read any variable that has been unset, but like I said, I'm running out of ideas. System: RedHat 6.1-6 i686 Kernel 2.2.13 Server: Apache 1.3.12 PHP: 4.0.3pl1 Thanks, Toby -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
Chris, I was afraid of that. I do have a contingency plan that is very similar to what you suggested. Since this is all already interacting with the database I'm just going to set a timestamp in the database in that users record and use that to determine if someone is logged in or not. This would also give me the added benefit of expiring sessions after a set period of inactivity. Then the login will require that PHP_AUTH_USER, PHP_AUTH_PW, and the session timestamp are all valid. This should take care of the problem. Unfortunately, the back button will still allow users to see cached pages from logged in sessions, but I guess you can't have everything. :-) Thanks, Toby - Original Message - From: "Chris Lee" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 14, 2001 11:44 AM Subject: Re: [PHP] HTTP Authentication not getting unset Ive found the same thing and currently do not have a workaround, it seems that browsers cache this. one method Ive thought of and never tested is to set a session variable, cross reference that SessionID, PHP_AUTH_PW, PHP_AUTH_USER are all valid, if not then your not loged in correctly. to log out just unset SessionID. any future pages will not load. even if the PW/USER are valid the Session wouldnt. If the browser has cookies disabled, you have compiled php with --trans-sid, and the user uses the back button the user would still be able to view cached pages. you might want to put some fancy no-cache headers in there somewhere and hope the browser supports them. you might even want to impliment a time based system, set the SessionID = time() on every header; but first check if the current SessionID 30min old then invalid login vs updateing SessionID to equal current time() This would prevent anyone from viewing cached pages more then 30min old and force them to re-login -- Chris Lee Mediawaveonline.com em. [EMAIL PROTECTED] ph. 250.377.1095 ph. 250.376.2690 fx. 250.554.1120 ""Toby Miller"" [EMAIL PROTECTED] wrote in message 006901c0969f$cfcf2700$[EMAIL PROTECTED]">news:006901c0969f$cfcf2700$[EMAIL PROTECTED]... Sorry, I meant common header, not footer. Inside my common "header" on my site .. (which also includes the same "header") ... - Original Message - From: "Toby Miller" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 14, 2001 10:37 AM Subject: [PHP] HTTP Authentication not getting unset Hey all, New problem. I really hope there's something simple to do to fix it. Check out this scenario and tell me if there's a step that I'm missing. Inside my common footer on my site the very first call is to an include called UserAuth.inc.php. UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL is protected or not. If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is then it runs through the usual HTTP Authentication. If it fails it goes to a failure page, if it succeeds then it logs the user in. Now I can surf around on the site and that same authentication will continue to be used for the rest of the site where ever another protected directory or file is found (as to be expected). Now to logout I have a page called logout.php. If you go to this page (which also includes the same footer) there is another action that takes place. If the $REQUEST_URI contains logout.php then I print the same "401" header that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and $AUTH_USER. $AUTH_USER is the user authentication object in my class file UserAuth.class.php. I'm just unsetting this so that no code will still have record of the old authentication object to do anything with. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. If you've got any ideas, suggestions, guesses or references, please reply. I've run out of ideas. I can also provide the code that I'm using if you think it might just be a problem with my logic. I don't think this is the case as I shouldn't be able to read any variable that has been unset, but like I said, I'm running out of ideas. System: RedHat 6.1-6 i686 Kernel 2.2.13 Server: Apache 1.3.12 PHP: 4.0.3pl1 Thanks, Toby -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
El Mi 14 Feb 2001 12:37, Toby Miller escribi: Hey all, Hi, This is far to long, so I'll strip a part of it. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. Yes, thats because the browser saves those variables (very bad idea, but what can I say... I didn't write the code of netscape or IE). At this moment I just finished coding a session login, logout hack. So I will suggest you to read about sessions, read some articles in phpbuilder, phpwizard and the documentation. Saludos... :-) -- System Administration: It's a dirty job, but someone told I had to do it. - Martn Marqus email: [EMAIL PROTECTED] Santa Fe - Argentinahttp://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
El Mi 14 Feb 2001 13:44, Chris Lee escribi: Ive found the same thing and currently do not have a workaround, it seems that browsers cache this. one method Ive thought of and never tested is to set a session variable, cross reference that SessionID, PHP_AUTH_PW, PHP_AUTH_USER are all valid, if not then your not loged in correctly. to log out just unset SessionID. any future pages will not load. even if the PW/USER are valid the Session wouldnt. Don't unset the session ID, just destroy the session with session_destroy(). If the browser has cookies disabled, you have compiled php with --trans-sid, and the user uses the back button the user would still be able to view cached pages. you might want to put some fancy no-cache headers in there somewhere and hope the browser supports them. This feature is pretty cool. If it can't but a cookie in the browser, it expands the URL with the SID, which is all you need, because the variables you register are on the server side (file, database). Saludos... :-) -- System Administration: It's a dirty job, but someone told I had to do it. - Martn Marqus email: [EMAIL PROTECTED] Santa Fe - Argentinahttp://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
El Mi 14 Feb 2001 13:04, Toby Miller escribi: Sorry, I meant common header, not footer. Inside my common "header" on my site .. (which also includes the same "header") ... Don't worry, I understood it. ;-) -- System Administration: It's a dirty job, but someone told I had to do it. - Martn Marqus email: [EMAIL PROTECTED] Santa Fe - Argentinahttp://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication w/IIS
OK, I loaded PHP with the ISAPI filter, but still no luck with authentication.. Did you reboot? It is Windows... I think ?php phpinfo();? will tell you if you are actually using ISAPI or CGI or not... Maybe. -- Visit the Zend Store at http://www.zend.com/store/ Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication
Hi, all.
HTTP Authentication in PHP 4 - Apache don't work!!!
Help me.
Best.
__
?php
if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"My Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel button\n";
exit;
} else {
echo "Hello $PHP_AUTH_USER.P";
echo "You entered $PHP_AUTH_PW as your password.P";
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication
Nick,
I'm not sure were you are getting the value of $PHP_AUTH_USER from, so you
might want to try this snippet. This causes a dialog box to open and ask for
a username/password.
Also, in your code: you do not need to escape the quotes in the header.
?
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="Whatever You want to say"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
} else if (isset($PHP_AUTH_USER)) {
if (($PHP_AUTH_USER !="abc") || ($PHP_AUTH_PW !="123")) {
header('WWW-Authenticate: Basic realm="Whatever You want to say"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
} else {
// Start echo statement
echo "hello";
}
}
?
- Original Message -
From: "Nick Kostirya" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 07, 2001 10:27 AM
Subject: [PHP] HTTP Authentication
Hi, all.
HTTP Authentication in PHP 4 - Apache don't work!!!
Help me.
Best.
__
?php
if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"My Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel button\n";
exit;
} else {
echo "Hello $PHP_AUTH_USER.P";
echo "You entered $PHP_AUTH_PW as your password.P";
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication - Message 2
Dear Shane,
Thanks for response.
But when I use PHP3 and Apache than all is good.
And when I use PHP4 (!!!) and Apache than Apache don't understanding header
('HTTP/1.0 401 Unauthorized'), and Apache's "error.log" consist of "Bad
header=HTTP/1.0 401 Unauthorized: d:/program files/php/php.exe".
Do you know what is the matter?
Thanks in advance.
Nick.
- Original Message -
From: Shane McBride [EMAIL PROTECTED]
To: Nick Kostirya [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, February 07, 2001 7:06 PM
Subject: Re: [PHP] HTTP Authentication
Nick,
I'm not sure were you are getting the value of $PHP_AUTH_USER from, so you
might want to try this snippet. This causes a dialog box to open and ask
for
a username/password.
Also, in your code: you do not need to escape the quotes in the header.
?
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="Whatever You want to say"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
} else if (isset($PHP_AUTH_USER)) {
if (($PHP_AUTH_USER !="abc") || ($PHP_AUTH_PW !="123")) {
header('WWW-Authenticate: Basic realm="Whatever You want to say"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
} else {
// Start echo statement
echo "hello";
}
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication w/IIS
OK, I loaded PHP with the ISAPI filter, but still no luck with authentication..
Here's the basic script that works on Apache/Linux:
?
// File name: admin_menu.php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="The Back Care Center Admin Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
} else if (isset($PHP_AUTH_USER)) {
if (($PHP_AUTH_USER !="test") || ($PHP_AUTH_PW !="123")) {
header('WWW-Authenticate: Basic realm="The Back Care Center Admin Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
} else {
// Start echo statement
echo "hello";
}
}
?
