Re: [PHP] Re: Authentication with PHP and HTTP
Just never do it period...that is the best habit to have... That is poor coding on the programmers part... On Fri, 2002-11-15 at 00:59, Maxim Maletsky wrote: > using this method for a production environment is incredibly vulnerable. > Just think of having a link on that page to some other site (or even having > a third-party banner displayed) on which there is a hit counter (and on > 90% there are) those can simply read the link in their logs. > > Never ever use it if security is of a minimum importance or you're > completely sure you know what you do. > > -- > Maxim Maletsky > [EMAIL PROTECTED] > > > On Tue, 5 Nov 2002 02:04:52 +0100 "silver" <[EMAIL PROTECTED]> wrote: > > > hi - I'm not quite sure if this will help you, but lets give it a try: > > > > you could use this URL syntax: > > http://user:password@;www.site.com to automatically log your user in to the > > htaccess protected area. the bad thing about it is that user / password show > > up in the URL, but you could hide this information with using frames... > > are PHP/MySQL usernames + passwords the same like in Apache/HTTP? > > > > greets, > > _andi > > > > > > > > > > > > > > "Phillip Erskine" <[EMAIL PROTECTED]> schrieb im Newsbeitrag > > news:F13i7M4BAyxJMXehYSo4e46@;hotmail.com... > > > > > > I have a site that uses PHP/MySQL authentication for one section and > > > Apache/HTTP authentication for another. Eventually I would like to use > > only > > > PHP and MySQL for authenticating users, but in the meantime, I have to use > > > both. > > > > > > First, users will log in to the main section of the site and I will use > > PHP > > > session variables to maintain state for that section. What I would like > > to > > > be able to do is allow users to click a link that would redirect them to > > the > > > other section of the site and automatically log them in. > > > > > > The section of the site that users will be redirected to uses .htaccess > > and > > > .htpassword files to enforce HTTP authentication. > > > > > > Is this possible? If so, how? > > > > > > > > > = > > > http://www.pverskine.com/ > > > > > > > > > > > > > > > _ > > > Protect your PC - get McAfee.com VirusScan Online > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
using this method for a production environment is incredibly vulnerable. Just think of having a link on that page to some other site (or even having a third-party banner displayed) on which there is a hit counter (and on 90% there are) those can simply read the link in their logs. Never ever use it if security is of a minimum importance or you're completely sure you know what you do. -- Maxim Maletsky [EMAIL PROTECTED] On Tue, 5 Nov 2002 02:04:52 +0100 "silver" <[EMAIL PROTECTED]> wrote: > hi - I'm not quite sure if this will help you, but lets give it a try: > > you could use this URL syntax: > http://user:password@;www.site.com to automatically log your user in to the > htaccess protected area. the bad thing about it is that user / password show > up in the URL, but you could hide this information with using frames... > are PHP/MySQL usernames + passwords the same like in Apache/HTTP? > > greets, > _andi > > > > > > > "Phillip Erskine" <[EMAIL PROTECTED]> schrieb im Newsbeitrag > news:F13i7M4BAyxJMXehYSo4e46@;hotmail.com... > > > > I have a site that uses PHP/MySQL authentication for one section and > > Apache/HTTP authentication for another. Eventually I would like to use > only > > PHP and MySQL for authenticating users, but in the meantime, I have to use > > both. > > > > First, users will log in to the main section of the site and I will use > PHP > > session variables to maintain state for that section. What I would like > to > > be able to do is allow users to click a link that would redirect them to > the > > other section of the site and automatically log them in. > > > > The section of the site that users will be redirected to uses .htaccess > and > > .htpassword files to enforce HTTP authentication. > > > > Is this possible? If so, how? > > > > > > = > > http://www.pverskine.com/ > > > > > > > > > > _ > > Protect your PC - get McAfee.com VirusScan Online > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
I've tried both methods without success. header("Location: http://(user):(pass)@www.mysite.com"); does the transfer but I still get prompted for a username and password by Apache readfile("http://(user):(pass)@www.mysite.com"); brings a warning message. Warning: readfile("http://...@;www.mysite.com/") - Success in redirect.php on line 2 It's a warning but says Success? Ed On Mon, 4 Nov 2002, Chris Shiflett wrote: > You can "hide" URLs by fetching them with one of your own PHP scripts: > > > readfile("http://user:password@;www.site.com/"); > ?> > > I think it might be at least better than frames. :-) > > Chris > > silver wrote: > > >you could use this URL syntax: > >http://user:password@;www.site.com to automatically log your user in to the > >htaccess protected area. the bad thing about it is that user / password show > >up in the URL, but you could hide this information with using frames... > >are PHP/MySQL usernames + passwords the same like in Apache/HTTP? > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
very true :) thx - I will keep that in mind... "Chris Shiflett" <[EMAIL PROTECTED]> schrieb im Newsbeitrag news:3DC71CBE.2050703@;php.net... > You can "hide" URLs by fetching them with one of your own PHP scripts: > > > readfile("http://user:password@;www.site.com/"); > ?> > > I think it might be at least better than frames. :-) > > Chris > > silver wrote: > > >you could use this URL syntax: > >http://user:password@;www.site.com to automatically log your user in to the > >htaccess protected area. the bad thing about it is that user / password show > >up in the URL, but you could hide this information with using frames... > >are PHP/MySQL usernames + passwords the same like in Apache/HTTP? > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Authentication with PHP and HTTP
You can "hide" URLs by fetching them with one of your own PHP scripts: http://user:password@;www.site.com/"); ?> I think it might be at least better than frames. :-) Chris silver wrote: you could use this URL syntax: http://user:password@;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Authentication with PHP and HTTP
hi - I'm not quite sure if this will help you, but lets give it a try: you could use this URL syntax: http://user:password@;www.site.com to automatically log your user in to the htaccess protected area. the bad thing about it is that user / password show up in the URL, but you could hide this information with using frames... are PHP/MySQL usernames + passwords the same like in Apache/HTTP? greets, _andi "Phillip Erskine" <[EMAIL PROTECTED]> schrieb im Newsbeitrag news:F13i7M4BAyxJMXehYSo4e46@;hotmail.com... > > I have a site that uses PHP/MySQL authentication for one section and > Apache/HTTP authentication for another. Eventually I would like to use only > PHP and MySQL for authenticating users, but in the meantime, I have to use > both. > > First, users will log in to the main section of the site and I will use PHP > session variables to maintain state for that section. What I would like to > be able to do is allow users to click a link that would redirect them to the > other section of the site and automatically log them in. > > The section of the site that users will be redirected to uses .htaccess and > .htpassword files to enforce HTTP authentication. > > Is this possible? If so, how? > > > = > http://www.pverskine.com/ > > > > > _ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php