Re: [PHP] authentication issue...

[Jason Pruim]

On May 29, 2010, at 12:02 AM, Nathan Nobbe wrote:




On Fri, May 28, 2010 at 7:43 PM, Jason Pruim > wrote:

Hey Everyone,

So I'm sitting here on a friday night trying to figure out how in  
the world I'm going to fix an issue that should probably be simple  
to me but is escaping me at the moment


Take this authentication function:

   $loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE  
userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";


   $loginResult = mysql_query($loginQuery) or die("Wrong  
data supplied or database error"  .mysql_error());

   $row1 = mysql_fetch_assoc($loginResult);
   if($row1['access'] == "500"){
   foreach (array_keys($_SESSION) as $key)
   unset($_SESSION[$key]);

   die('account disabled');
   }

   if(is_array($row1)){

   $_SESSION['userInfo'] = array( "userLogin" =>  
$row1['userName'], "loggedin" => TRUE, "userName" =>  
$row1['userName'], "userPermission" => $row1['userPermission']);


   error_log("User has logged in: ".  
$row1['userLogin']);


   }else{
   //$_SESSION['userInfo'] =array("loggedin" =>  
FALSE);

   die('authentication failed');

   }
   return TRUE;

   }

?>

Here is how I am displaying the login form:


   

CSS;
include("nav.php");

if ($_SESSION['userInfo']['loggedin'] == TRUE) {

MAIN PAGE DISPLAY HERE

}else{

   //Display login info
echo <<
   
   
   You must login to proceed!
   User Name: name="txtUser">
   Password: name="txtPass">

   
   
   

FORM;

if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);

}

}

?>

Now... the authentication actually works, and it logs me in  
properly, but I have to click the login button twice Ideally I  
should just do it once, so I'm wondering if anyone can spot my  
grievous misstep here?


it looks to me like you need to move the authentication() call

if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}

above the check to see if the user has logged in, right after the

include("nav.php");

line.  right now, when the user submits the form, your code is first  
finding that the user isnt logged in, spitting out the 'please log  
in' portion of the html then logging them in, so youre actually  
already logged in when the form shows itself the second time!


Hey nathan,

You were close actually... :) If I moved just the $auth call it came  
up and said that the auth failed... BUT if I moved that entire if  
block to just below the include("nav.php"); line it works as it should!


Thanks for the pointer in the right direction! :)



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication issue...

[Ashley Sheridan]

On Sat, 2010-05-29 at 07:40 -0400, Floyd Resler wrote:

> On May 28, 2010, at 9:43 PM, Jason Pruim wrote:
> 
> > Hey Everyone,
> >
> > So I'm sitting here on a friday night trying to figure out how in  
> > the world I'm going to fix an issue that should probably be simple  
> > to me but is escaping me at the moment
> >
> > Take this authentication function:
> >
> >  >
> > function authentication($authUser, $authPass, $cfgtableAuth){
> >
> > // Keep in mind, PASSWORD has meaning in MySQL
> > // Do your string sanitizing here
> > // (e.g. - $user = mysql_real_escape_string($_POST['user']);)
> > $authUser = mysql_real_escape_string($_POST['txtUser']);
> > $authPass = mysql_real_escape_string($_POST['txtPass']);
> > $md5pass = md5($authPass);
> >
> >$loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE  
> > userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";
> >
> >$loginResult = mysql_query($loginQuery) or die("Wrong  
> > data supplied or database error"  .mysql_error());
> > $row1 = mysql_fetch_assoc($loginResult);
> > if($row1['access'] == "500"){
> >foreach (array_keys($_SESSION) as $key)
> >unset($_SESSION[$key]);
> >
> > die('account disabled');
> > }
> >
> > if(is_array($row1)){
> >
> >$_SESSION['userInfo'] = array( "userLogin" =>  
> > $row1['userName'], "loggedin" => TRUE, "userName" =>  
> > $row1['userName'], "userPermission" => $row1['userPermission']);
> >
> >error_log("User has logged in: ".  
> > $row1['userLogin']);
> >
> >}else{
> > //$_SESSION['userInfo'] =array("loggedin" => FALSE);
> > die('authentication failed');
> >
> > }
> > return TRUE;
> >
> > }
> >
> > ?>
> >
> > Here is how I am displaying the login form:
> >
> >  > session_start();
> >
> > $link = dbconnect($server, $username, $password, $database);
> >
> > $page = $_GET['page'];
> >
> > echo << >
> >
> >
> > CSS;
> > include("nav.php");
> >
> > if ($_SESSION['userInfo']['loggedin'] == TRUE) {
> >
> > MAIN PAGE DISPLAY HERE
> >
> > }else{
> >
> > //Display login info
> > echo << >
> > 
> > 
> >You must login to proceed!
> > User Name:  > name="txtUser">
> > Password:  > name="txtPass">
> > 
> > 
> > 
> > 
> > FORM;
> >
> > if(isset($_POST['txtUser'])) {
> > $authUser = $_POST['txtUser'];
> > $authPass = $_POST['txtPass'];
> > $auth = authentication($authUser, $authPass, $cfgtableAuth);
> >
> > }
> >
> > }
> >
> > ?>
> >
> > Now... the authentication actually works, and it logs me in  
> > properly, but I have to click the login button twice Ideally I  
> > should just do it once, so I'm wondering if anyone can spot my  
> > grievous misstep here?
> >
> > Thanks in advance for the help and pointers I am bound to receive  
> > from this list! :)
> >
> 
> Your problem kind of made me laugh.  Not because you're having this  
> problem but because the problem you're having that you want to correct  
> is something a co-worker of mine did by design.  She writes in FoxPro  
> and on her login page you actually  have to click the login button  
> twice in order to log in!  She did it that way because she has a  
> profile button on the login page.  Still, clicking on a login button  
> twice is annoying! :)
> 
> Take care,
> Floyd
> 
> 


The problem I often see in this area is where the login check is
performed in an include file, and then included in every page, including
the login page itself. Takes a little while sometimes to figure out why
it is stuck in an eternal loop!

Thanks,
Ash
http://www.ashleysheridan.co.uk

Re: [PHP] authentication issue...

[Floyd Resler]

On May 28, 2010, at 9:43 PM, Jason Pruim wrote:


Hey Everyone,

So I'm sitting here on a friday night trying to figure out how in  
the world I'm going to fix an issue that should probably be simple  
to me but is escaping me at the moment


Take this authentication function:

   $loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE  
userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";


   $loginResult = mysql_query($loginQuery) or die("Wrong  
data supplied or database error"  .mysql_error());

$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == "500"){
   foreach (array_keys($_SESSION) as $key)
   unset($_SESSION[$key]);

die('account disabled');
}

if(is_array($row1)){

   $_SESSION['userInfo'] = array( "userLogin" =>  
$row1['userName'], "loggedin" => TRUE, "userName" =>  
$row1['userName'], "userPermission" => $row1['userPermission']);


   error_log("User has logged in: ".  
$row1['userLogin']);


   }else{
//$_SESSION['userInfo'] =array("loggedin" => FALSE);
die('authentication failed');

}
return TRUE;

}

?>

Here is how I am displaying the login form:


   

CSS;
include("nav.php");

if ($_SESSION['userInfo']['loggedin'] == TRUE) {

MAIN PAGE DISPLAY HERE

}else{

//Display login info
echo <<


   You must login to proceed!
User Name: 
Password: 




FORM;

if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);

}

}

?>

Now... the authentication actually works, and it logs me in  
properly, but I have to click the login button twice Ideally I  
should just do it once, so I'm wondering if anyone can spot my  
grievous misstep here?


Thanks in advance for the help and pointers I am bound to receive  
from this list! :)




Your problem kind of made me laugh.  Not because you're having this  
problem but because the problem you're having that you want to correct  
is something a co-worker of mine did by design.  She writes in FoxPro  
and on her login page you actually  have to click the login button  
twice in order to log in!  She did it that way because she has a  
profile button on the login page.  Still, clicking on a login button  
twice is annoying! :)


Take care,
Floyd


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication issue...

[Nathan Nobbe]

On Fri, May 28, 2010 at 7:43 PM, Jason Pruim wrote:

> Hey Everyone,
>
> So I'm sitting here on a friday night trying to figure out how in the world
> I'm going to fix an issue that should probably be simple to me but is
> escaping me at the moment
>
> Take this authentication function:
>
> 
>  function authentication($authUser, $authPass, $cfgtableAuth){
>
>// Keep in mind, PASSWORD has meaning in MySQL
>// Do your string sanitizing here
>// (e.g. - $user = mysql_real_escape_string($_POST['user']);)
>$authUser = mysql_real_escape_string($_POST['txtUser']);
>$authPass = mysql_real_escape_string($_POST['txtPass']);
>$md5pass = md5($authPass);
>
>$loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE
> userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";
>
>$loginResult = mysql_query($loginQuery) or die("Wrong data
> supplied or database error"  .mysql_error());
>$row1 = mysql_fetch_assoc($loginResult);
>if($row1['access'] == "500"){
>foreach (array_keys($_SESSION) as $key)
>unset($_SESSION[$key]);
>
>die('account disabled');
>}
>
>if(is_array($row1)){
>
>$_SESSION['userInfo'] = array( "userLogin" =>
> $row1['userName'], "loggedin" => TRUE, "userName" => $row1['userName'],
> "userPermission" => $row1['userPermission']);
>
>error_log("User has logged in: ". $row1['userLogin']);
>
>}else{
>//$_SESSION['userInfo'] =array("loggedin" => FALSE);
>die('authentication failed');
>
>}
>return TRUE;
>
>}
>
> ?>
>
> Here is how I am displaying the login form:
>
>  session_start();
>
> $link = dbconnect($server, $username, $password, $database);
>
> $page = $_GET['page'];
>
> echo <<
>
>
> CSS;
> include("nav.php");
>
> if ($_SESSION['userInfo']['loggedin'] == TRUE) {
>
> MAIN PAGE DISPLAY HERE
>
> }else{
>
>//Display login info
> echo <<
>
>
>You must login to proceed!
>User Name:  name="txtUser">
>Password:  name="txtPass">
>
>
>
> 
> FORM;
>
> if(isset($_POST['txtUser'])) {
> $authUser = $_POST['txtUser'];
> $authPass = $_POST['txtPass'];
> $auth = authentication($authUser, $authPass, $cfgtableAuth);
>
> }
>
> }
>
> ?>
>
> Now... the authentication actually works, and it logs me in properly, but I
> have to click the login button twice Ideally I should just do it once,
> so I'm wondering if anyone can spot my grievous misstep here?
>

it looks to me like you need to move the authentication() call

if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}

above the check to see if the user has logged in, right after the

include("nav.php");

line.  right now, when the user submits the form, your code is first finding
that the user isnt logged in, spitting out the 'please log in' portion of
the html then logging them in, so youre actually already logged in when the
form shows itself the second time!

-nathan

[PHP] authentication issue...

[Jason Pruim]

Hey Everyone,

So I'm sitting here on a friday night trying to figure out how in the  
world I'm going to fix an issue that should probably be simple to me  
but is escaping me at the moment


Take this authentication function:

$loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE  
userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";


$loginResult = mysql_query($loginQuery) or die("Wrong  
data supplied or database error"  .mysql_error());

$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == "500"){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);

die('account disabled');
}

if(is_array($row1)){

$_SESSION['userInfo'] = array( "userLogin" =>  
$row1['userName'], "loggedin" => TRUE, "userName" =>  
$row1['userName'], "userPermission" => $row1['userPermission']);


error_log("User has logged in: ".  
$row1['userLogin']);


}else{
//$_SESSION['userInfo'] =array("loggedin" => FALSE);
die('authentication failed');

}
return TRUE;

}

?>

Here is how I am displaying the login form:




CSS;
include("nav.php");

if ($_SESSION['userInfo']['loggedin'] == TRUE) {

MAIN PAGE DISPLAY HERE

}else{

//Display login info
echo <<


You must login to proceed!
User Name: 
Password: 




FORM;

if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);

}

}

?>

Now... the authentication actually works, and it logs me in properly,  
but I have to click the login button twice Ideally I should just  
do it once, so I'm wondering if anyone can spot my grievous misstep  
here?


Thanks in advance for the help and pointers I am bound to receive from  
this list! :)






--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication by client certificate

[Edmund Hertle]

2009/1/23 Jesus Campos 

> Hi there,
>
> I would like to create a application that can be able to authenticate by
> client certificate.
> Can I make this by apache/php? Anyone can recomend me documantation?
>
> Thanks,
> JCampos
>  


Hey,

I do not really understand what do you want to do? Are you talking about
ssl-certificates?

-eddy

[PHP] Authentication by client certificate

[Jesus Campos]

Hi there,

I would like to create a application that can be able to authenticate by 
client certificate.
Can I make this by apache/php? Anyone can recomend me documantation?

Thanks,
JCampos 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication verification

[Greg Maruszeczka]

On Thu, 29 May 2008 14:20:02 -0600 (MDT)
"DeadTOm" <[EMAIL PROTECTED]> wrote:

> So the user comes to the site and they're presented with a log in
> page. They enter their username and password and php checks a mysql
> database for a matching username and password.
> In the case of a match, php then sets a cookie on their browser with a
> value of 1 for authenticated and 0 for not authenticated. Every
> subsequent page the user views checks the status of this cookie and
> if it's a zero it kicks them back to the log in page. This cookie
> expires in 5 days and after that they'll have to log in again.
> I'm aware that this is terribly easy to circumvent by
> creating/modifying a cookie with the 1 value and the site thinks
> you've passed muster. What is a better way of doing this?
> 
> --
> 
> DeadTOm
> http://www.mtlaners.org
> [EMAIL PROTECTED]
> A Linux user since 1999.
> 
> 
> 

Sessions.

http://php.net/manual/en/ref.session.php

-- 
   
Greg Maruszeczka

http://websagesolutions.com
skype: websage.ca
googletalk: gmarus

"Those who are possessed by nothing possess everything."
-- Morihei Ueshiba

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication verification

[Robert Cummings]

On Thu, 2008-05-29 at 14:20 -0600, DeadTOm wrote:
> So the user comes to the site and they're presented with a log in page.
> They enter their username and password and php checks a mysql database for
> a matching username and password.
> In the case of a match, php then sets a cookie on their browser with a
> value of 1 for authenticated and 0 for not authenticated. Every subsequent
> page the user views checks the status of this cookie and if it's a zero it
> kicks them back to the log in page. This cookie expires in 5 days and
> after that they'll have to log in again.
> I'm aware that this is terribly easy to circumvent by creating/modifying a
> cookie with the 1 value and the site thinks you've passed muster.
> What is a better way of doing this?

Use PHP session engine... and set:

$_SESSION['loggedIn'] = true;

Then you can check THAT value and they can't modify it.

Cheers,
Rob.
-- 
http://www.interjinn.com
Application and Templating Framework for PHP


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication verification

[DeadTOm]

So the user comes to the site and they're presented with a log in page.
They enter their username and password and php checks a mysql database for
a matching username and password.
In the case of a match, php then sets a cookie on their browser with a
value of 1 for authenticated and 0 for not authenticated. Every subsequent
page the user views checks the status of this cookie and if it's a zero it
kicks them back to the log in page. This cookie expires in 5 days and
after that they'll have to log in again.
I'm aware that this is terribly easy to circumvent by creating/modifying a
cookie with the 1 value and the site thinks you've passed muster.
What is a better way of doing this?

--

DeadTOm
http://www.mtlaners.org
[EMAIL PROTECTED]
A Linux user since 1999.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication script working in firefox but strange results in ie7

[Sancar Saran]

Hello ,
Those code doesn't mean anything to client browser, you may session cookie 
problem. Please check php.net online manual about it.

Regards

Sancar

On Saturday 04 August 2007 18:20:49 Brian Seymour wrote:
> I mostly use Firefox but still I check to make sure everything works in IE7
> and other browsers equally as well. I had strange results here. I have a
> simple login form(user/pass field and submit button). I have the actual
> login request script in a common php file. I have an Authentication class
> that handles my auth stuff. With the code the way it is, it works perfectly
> in firefox. However, in IE7 when you log in it shows the restricted stuff
> but as soon as you navigate anywhere else you no longer have access. If you
> login again then it works fine just like the first time you logged in using
> firefox.
>
> Now if you change $_SESSION['uid']=="" to !isset($_SESSION['uid']) then it
> works perfectly on both browsers.
>
> Anyhow, rifle through the code -- just something to think about. Anybody
> else have a similar issue before?
>
> Web Code:
> Restricted stuff:
>  if ($_SESSION['uid']==""){
>   $ops->postLogin($e);
>   }else{
>   ?>
>   Logged in stuff(Restricted stuff)
>   
>
> Common snippet:
>   if ($_POST[action]=="login"){
>   $auth = new
> Authentication($host,$user,$pass,"dbname","http://aerocore.net/";);
>   if
> ($auth->verifyCreds($_POST['username'],$_POST['password'],"base_contributor
>s ","id"))
>   {
>   $_SESSION['uid'] = $auth->retId;
>   $auth->failSafe();
>   break;
>   }
>   }
>
> Authentication:
>   class Authentication extends SQL {
>   public $errorMsg;
>   public $retId;
>   public $clean = array();
>   public $fail;
>
>   public function __construct($host,$user,$pass,$dbname =
> null,$fail)
>   {
>   parent::__construct($host,$user,$pass,$dbname =
> null);
>   $this->fail=$fail;
>   }
>
>   public function failSafe()
>   {
>   header("Location: {$this->fail}");
>   }
>
>   final public function sanitizeLoginCreds($user, $pass)
>   {
>   $this->clean['username']=strip_tags($user);
>   $this->clean['password']=strip_tags($pass);
>   if (!ctype_alnum($this->clean['username'])){
> $this->clean['username']=""; }
>   if (!ctype_alnum($this->clean['password'])){
> $this->clean['password']=""; }
>   }
>
>   final public function verifyCreds($user, $pass, $table,
> $retVal = null)
>   {
>   $this->sanitizeLoginCreds($user,$pass);
>
>   //$this->result = $this->query("SELECT * FROM $table
> where username='{$this->clean[username]}' and
> password='{$this->clean[password]}'");
>
>   if ($this->fetchNumRows("SELECT * FROM $table where
> username='{$this->clean[username]}' and
> password='{$this->clean[password]}'") == 0)
>   {
>   $this->errorMsg = "Incorrect
> Username/Password Combo";
>   $this->failSafe();
>   return false;
>   }
>   else
>   {
>   if (isset($retVal))
>   {
>   $this->retId =
> $this->fetchArray("SELECT * FROM $table where
> username='{$this->clean[username]}' and
> password='{$this->clean[password]}'");
>   $this->retId =
> $this->retId[$retVal];
>   }
>   return true;
>   }
>
>   }
>
>   final public function secureLogout()
>   {
>   $_SESSION = array();
>   session_destroy();
>   $this->failSafe();
>   }
>
>   public function __destruct(){}
>   }
>
> Brian Seymour
> Zend Certified Engineer
> AeroCoreProductions
> http://www.aerocore.net/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication script working in firefox but strange results in ie7

[Brian Seymour]

I mostly use Firefox but still I check to make sure everything works in IE7
and other browsers equally as well. I had strange results here. I have a
simple login form(user/pass field and submit button). I have the actual
login request script in a common php file. I have an Authentication class
that handles my auth stuff. With the code the way it is, it works perfectly
in firefox. However, in IE7 when you log in it shows the restricted stuff
but as soon as you navigate anywhere else you no longer have access. If you
login again then it works fine just like the first time you logged in using
firefox.

Now if you change $_SESSION['uid']=="" to !isset($_SESSION['uid']) then it
works perfectly on both browsers.

Anyhow, rifle through the code -- just something to think about. Anybody
else have a similar issue before?

Web Code:
Restricted stuff:
postLogin($e);
}else{ 
?>
Logged in stuff(Restricted stuff)


Common snippet:
if ($_POST[action]=="login"){
$auth = new
Authentication($host,$user,$pass,"dbname","http://aerocore.net/";);
if
($auth->verifyCreds($_POST['username'],$_POST['password'],"base_contributors
","id"))
{
$_SESSION['uid'] = $auth->retId;
$auth->failSafe();
break;
}
}

Authentication:
class Authentication extends SQL {
public $errorMsg;
public $retId;
public $clean = array();
public $fail;

public function __construct($host,$user,$pass,$dbname =
null,$fail)
{
parent::__construct($host,$user,$pass,$dbname =
null);
$this->fail=$fail;
}

public function failSafe()
{
header("Location: {$this->fail}");
}

final public function sanitizeLoginCreds($user, $pass)
{
$this->clean['username']=strip_tags($user);
$this->clean['password']=strip_tags($pass);
if (!ctype_alnum($this->clean['username'])){
$this->clean['username']=""; }
if (!ctype_alnum($this->clean['password'])){
$this->clean['password']=""; }
}

final public function verifyCreds($user, $pass, $table,
$retVal = null)
{
$this->sanitizeLoginCreds($user,$pass);

//$this->result = $this->query("SELECT * FROM $table
where username='{$this->clean[username]}' and
password='{$this->clean[password]}'");

if ($this->fetchNumRows("SELECT * FROM $table where
username='{$this->clean[username]}' and
password='{$this->clean[password]}'") == 0)
{
$this->errorMsg = "Incorrect
Username/Password Combo";
$this->failSafe();
return false;
}
else
{
if (isset($retVal))
{
$this->retId =
$this->fetchArray("SELECT * FROM $table where
username='{$this->clean[username]}' and
password='{$this->clean[password]}'");
$this->retId =
$this->retId[$retVal];
}
return true;
}

}

final public function secureLogout()
{
$_SESSION = array();
session_destroy();
$this->failSafe();
}

public function __destruct(){}
}

Brian Seymour
Zend Certified Engineer
AeroCoreProductions
http://www.aerocore.net/ 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Nathan Nobbe]

Dan,

i realize i misunderstood the original question.  am i to understand you
have php running
on all of the client machines ?

thanks,

-nathan

On 7/31/07, Dan Shirah <[EMAIL PROTECTED]> wrote:
>
> Correct Stut, I want transparent authentication, but I also want to have
> the
> currently logged in user name pulled so I can use it for tracking
> purposes.
> My application deals with very sensitive company information and I want to
> pull the username for tracking purposes. I have everything running local
> on
> the same PC.  Win2k3 server, IIS, PHP and MSSQL Server.  I have PHP
> installed for use with ldap and have NT Authentication set in IIS for the
> site.  This allows me to perform the transparency, but I can't seem to
> extract the username.
>
> On 7/29/07, Stut <[EMAIL PROTECTED]> wrote:
> >
> > Dan Shirah wrote:
> > > I looked on PHP.net but I couldn't not find anything suitable to
> answer
> > my
> > > question.
> > >
> > > Within PHP, is there a way to pull the name of the user that is
> > currently
> > > logged into the PC?
> > >
> > > I know with some of the _SERVER functions you can pull the IP of the
> > machine
> > > and other data, is there a function within this family that would
> work?
> >
> > I'm assuming you're after "transparent authentication" where the user
> > doesn't need to do anything to authenticate with the site. This is only
> > possible with IE as the client on an NT domain with the server on the
> > same domain. If you're using IIS on the server then it's as easy as
> > removing anonymous and basic authentication from the site/directory. If
> > you're using Apache or something else you need to find an
> > extension/module that provides NTLM authentication, but not all of the
> > ones I tried fully supported the transparent side of it.
> >
> > I implemented this for a corporate intranet a while back in Apache on
> > FreeBSD with mod_ntlm (Google for it - dunno if it's still maintained).
> > That was in 2004 and information was sparse, but with a bit of research
> > and *lots* of experimenting I was able to get it to work.
> >
> > To be perfectly honest, if I were doing it again I'd save the time and
> > use IIS on the server - sooo much easier.
> >
> > -Stut
> >
> > --
> > http://stut.net/
> >
>

Re: [PHP] Authentication

[Stut]

Dan Shirah wrote:
Correct Stut, I want transparent authentication, but I also want to have 
the currently logged in user name pulled so I can use it for tracking 
purposes.  My application deals with very sensitive company information 
and I want to pull the username for tracking purposes. I have everything 
running local on the same PC.  Win2k3 server, IIS, PHP and MSSQL 
Server.  I have PHP installed for use with ldap and have NT 
Authentication set in IIS for the site.  This allows me to perform the 
transparency, but I can't seem to extract the username.


Spit out the contents of $_SERVER with print_r - it's probably in there 
somewhere.


print ''.print_r($_SERVER, true).'';

-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Dan Shirah]

Correct Stut, I want transparent authentication, but I also want to have the
currently logged in user name pulled so I can use it for tracking purposes.
My application deals with very sensitive company information and I want to
pull the username for tracking purposes. I have everything running local on
the same PC.  Win2k3 server, IIS, PHP and MSSQL Server.  I have PHP
installed for use with ldap and have NT Authentication set in IIS for the
site.  This allows me to perform the transparency, but I can't seem to
extract the username.

On 7/29/07, Stut <[EMAIL PROTECTED]> wrote:
>
> Dan Shirah wrote:
> > I looked on PHP.net but I couldn't not find anything suitable to answer
> my
> > question.
> >
> > Within PHP, is there a way to pull the name of the user that is
> currently
> > logged into the PC?
> >
> > I know with some of the _SERVER functions you can pull the IP of the
> machine
> > and other data, is there a function within this family that would work?
>
> I'm assuming you're after "transparent authentication" where the user
> doesn't need to do anything to authenticate with the site. This is only
> possible with IE as the client on an NT domain with the server on the
> same domain. If you're using IIS on the server then it's as easy as
> removing anonymous and basic authentication from the site/directory. If
> you're using Apache or something else you need to find an
> extension/module that provides NTLM authentication, but not all of the
> ones I tried fully supported the transparent side of it.
>
> I implemented this for a corporate intranet a while back in Apache on
> FreeBSD with mod_ntlm (Google for it - dunno if it's still maintained).
> That was in 2004 and information was sparse, but with a bit of research
> and *lots* of experimenting I was able to get it to work.
>
> To be perfectly honest, if I were doing it again I'd save the time and
> use IIS on the server - sooo much easier.
>
> -Stut
>
> --
> http://stut.net/
>

Re: [PHP] Authentication

[Stut]

Dan Shirah wrote:

I looked on PHP.net but I couldn't not find anything suitable to answer my
question.

Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?

I know with some of the _SERVER functions you can pull the IP of the machine
and other data, is there a function within this family that would work?


I'm assuming you're after "transparent authentication" where the user 
doesn't need to do anything to authenticate with the site. This is only 
possible with IE as the client on an NT domain with the server on the 
same domain. If you're using IIS on the server then it's as easy as 
removing anonymous and basic authentication from the site/directory. If 
you're using Apache or something else you need to find an 
extension/module that provides NTLM authentication, but not all of the 
ones I tried fully supported the transparent side of it.


I implemented this for a corporate intranet a while back in Apache on 
FreeBSD with mod_ntlm (Google for it - dunno if it's still maintained). 
That was in 2004 and information was sparse, but with a bit of research 
and *lots* of experimenting I was able to get it to work.


To be perfectly honest, if I were doing it again I'd save the time and 
use IIS on the server - sooo much easier.


-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Richard Heyes]

I looked on PHP.net but I couldn't not find anything suitable to answer my
question.

Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?

I know with some of the _SERVER functions you can pull the IP of the machine
and other data, is there a function within this family that would work?


If you're running your PHP script on IIS, maybe. Use print_r():



--
Richard Heyes
+44 (0)844 801 1072
http://www.websupportsolutions.co.uk

Knowledge Base and HelpDesk software
that can cut the cost of online support

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Authentication

[Instruct ICC]

From: "Dan Shirah" <[EMAIL PROTECTED]>

All,

I looked on PHP.net but I couldn't not find anything suitable to answer my
question.

Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?

I know with some of the _SERVER functions you can pull the IP of the 
machine

and other data, is there a function within this family that would work?

Thanks,

Dan


What operating system is being run on this personal computer?
Who is running the PHP script?
Is the PHP script being run from a web page or the command line?

On a Mac, if I run phpinfo from a command line script, I see my user name in 
6 entries with variants of USER and LOGNAME.
If the user was logged into a PHP web page with say htaccess or a custom 
HTML Form, I could see the name he logged in with.


_
Don't get caught with egg on your face. Play Chicktionary!  
http://club.live.com/chicktionary.aspx?icid=chick_hotmailtextlink2


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Sancar Saran]

On Friday 27 July 2007 20:51:51 Dan Shirah wrote:
> All,
>
> I looked on PHP.net but I couldn't not find anything suitable to answer my
> question.
>
> Within PHP, is there a way to pull the name of the user that is currently
> logged into the PC?
>
> I know with some of the _SERVER functions you can pull the IP of the
> machine and other data, is there a function within this family that would
> work?
>
> Thanks,
>
> Dan

Not sure and not tested.

If my memory correct there where some options in AD login scripts to update 
dns records of current machine.

So if you can update logged machine dns records with containing current user 
information.

You may retreive that information from dns. 

Otherwise (except Activex solutions) there is no other way to pull this kind 
of information from client.

Regards

Sancar

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Chad Robinson]

Dan Shirah wrote:

My application is only used within my company. I want to pull the NT
Authenticated user that is logged in, cross reference that user with what I
have pulled from ldap and verify the user's name is valid. If the username
is valid I will assign it to a variable and use that variable to store the
name of the user that submitted the requests.

Yes, I am trying to get a single sign on method if possible.

 $_SERVER['REMOTE_ADDR'] works in bringing back the IP Address of the
computer I'm kaing the request from, but $_SERVER['REMOTE_USER'] does not
return anything.
  
There's an ActiveX component floating around that will pull this 
information from the user's PC and make it available so Javascript can 
get it (and then pass it on to you). You have to instruct each user's 
browser to consider your site in the trusted zone, but it works fine 
after that. This is how Microsoft does SSO in their own browser.


I didn't actually read too much into this link, but it might get you going:
http://archives.devshed.com/forums/php-windows-119/newb-get-username-that-is-currently-logged-in-to-windows-1765301.html

Basically, having the user put your site into the 'Trusted' zone allows 
Javascript to call out to things, which it can't do with default 
security settings.


After you get it, then you have to pass it to the server. If you want to 
get this automatically, make the entry page (index/default/whatever) run 
this javascript work, then at the tail end of it redirect the user to 
the login page using a GET or POST query to pass in the username. If it 
fails to get the username the login page can then just ask for it.


At least, maybe it will give you enough to Google now.

Regards,
Chad

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Richard Lynch]

On Fri, July 27, 2007 4:02 pm, Dan Shirah wrote:
> My application is only used within my company. I want to pull the NT
> Authenticated user that is logged in, cross reference that user with
> what I
> have pulled from ldap and verify the user's name is valid. If the
> username
> is valid I will assign it to a variable and use that variable to store
> the
> name of the user that submitted the requests.
>
> Yes, I am trying to get a single sign on method if possible.

>> If you're trying to get some kind of "one login" system going, there
>> may or may not be some useful info in the ever-reappearing thread
>> regarding "Active Directory" and/or LDAP.

The answer remains: rtfa 

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Authentication

[Jay Blanchard]

[snip]
My application is only used within my company. I want to pull the NT
Authenticated user that is logged in, cross reference that user with
what I
have pulled from ldap and verify the user's name is valid. If the
username
is valid I will assign it to a variable and use that variable to store
the
name of the user that submitted the requests.

Yes, I am trying to get a single sign on method if possible.
[/snip]

This is one of those holy grail questions asked before several times
here. In order to pull this off the computer would have to know who you
are after you have logged on. ASP has
Request.Servervariables("LOGON_USER") and requires that the web server
(IIS) be set up properly if IIS is set to use Basic Authentication
or Windows Authentication then LOGON_USER is populated.

So this is not possible using PHP (server-side). Perhaps JavaScript? Not
really. Hours of searching the web will reveal that this is not
probable. 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Satyam]

If memory doesn't fail me, if you work with IIS and protect the source pages 
of the application so that IUSR_x (the generic anonymous user) doesn't 
have access to those files and instead grant access to the NT users or 
groups which you want, the IIS when working with IE clients will take care 
of that as long as they are all in the same domain.  I did it with IIS 3 and 
IE4 and it worked, I am not completely sure about the details, but it is 
something you do in the server administration and you don't need to do any 
programming at all, if the person reaches the page it is because it is who 
he says it is.


Otherwise, no browser will give you access to any sensitive information on 
the client machine, nothing that someone, anyone, might pick on the server 
side just by receiving a page request.


Satyam

- Original Message - 
From: "Dan Shirah" <[EMAIL PROTECTED]>

To: <[EMAIL PROTECTED]>
Cc: "php-general" 
Sent: Friday, July 27, 2007 11:02 PM
Subject: Re: [PHP] Authentication



My application is only used within my company. I want to pull the NT
Authenticated user that is logged in, cross reference that user with what 
I

have pulled from ldap and verify the user's name is valid. If the username
is valid I will assign it to a variable and use that variable to store the
name of the user that submitted the requests.

Yes, I am trying to get a single sign on method if possible.

$_SERVER['REMOTE_ADDR'] works in bringing back the IP Address of the
computer I'm kaing the request from, but $_SERVER['REMOTE_USER'] does not
return anything.


On 7/27/07, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Fri, July 27, 2007 12:51 pm, Dan Shirah wrote:
> I looked on PHP.net but I couldn't not find anything suitable to
> answer my
> question.
>
> Within PHP, is there a way to pull the name of the user that is
> currently
> logged into the PC?

That data is not transmitted, by design, in an HTTP request.

> I know with some of the _SERVER functions you can pull the IP of the
> machine
> and other data, is there a function within this family that would
> work?

If you can find a JavaScript function to snoop the username, you could
then write that into the URL, I suppose...

But I suspect that, by design, JavaScript does not do this either.

Basically, the username on the visitor's computer is both meaningless
and far far far too private to be handing it out arbitrarily.

It's meaningless in that any user can buy a PC and set up any username
they want on it, and your webserver has NO IDEA what that username
means.

It's far far far too private, because it's none of your business to
know who I am when I'm surfing.

If you're trying to get some kind of "one login" system going, there
may or may not be some useful info in the ever-reappearing thread
regarding "Active Directory" and/or LDAP.

If you're trying to do something else, post whatever it is you are
trying to do, and perhaps you'll get some help.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?










No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.22/921 - Release Date: 26/07/2007 
23:16


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Richard Lynch]

On Fri, July 27, 2007 12:51 pm, Dan Shirah wrote:
> I looked on PHP.net but I couldn't not find anything suitable to
> answer my
> question.
>
> Within PHP, is there a way to pull the name of the user that is
> currently
> logged into the PC?

That data is not transmitted, by design, in an HTTP request.

> I know with some of the _SERVER functions you can pull the IP of the
> machine
> and other data, is there a function within this family that would
> work?

If you can find a JavaScript function to snoop the username, you could
then write that into the URL, I suppose...

But I suspect that, by design, JavaScript does not do this either.

Basically, the username on the visitor's computer is both meaningless
and far far far too private to be handing it out arbitrarily.

It's meaningless in that any user can buy a PC and set up any username
they want on it, and your webserver has NO IDEA what that username
means.

It's far far far too private, because it's none of your business to
know who I am when I'm surfing.

If you're trying to get some kind of "one login" system going, there
may or may not be some useful info in the ever-reappearing thread
regarding "Active Directory" and/or LDAP.

If you're trying to do something else, post whatever it is you are
trying to do, and perhaps you'll get some help.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Dan Shirah]

My application is only used within my company. I want to pull the NT
Authenticated user that is logged in, cross reference that user with what I
have pulled from ldap and verify the user's name is valid. If the username
is valid I will assign it to a variable and use that variable to store the
name of the user that submitted the requests.

Yes, I am trying to get a single sign on method if possible.

 $_SERVER['REMOTE_ADDR'] works in bringing back the IP Address of the
computer I'm kaing the request from, but $_SERVER['REMOTE_USER'] does not
return anything.


On 7/27/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
>
> On Fri, July 27, 2007 12:51 pm, Dan Shirah wrote:
> > I looked on PHP.net but I couldn't not find anything suitable to
> > answer my
> > question.
> >
> > Within PHP, is there a way to pull the name of the user that is
> > currently
> > logged into the PC?
>
> That data is not transmitted, by design, in an HTTP request.
>
> > I know with some of the _SERVER functions you can pull the IP of the
> > machine
> > and other data, is there a function within this family that would
> > work?
>
> If you can find a JavaScript function to snoop the username, you could
> then write that into the URL, I suppose...
>
> But I suspect that, by design, JavaScript does not do this either.
>
> Basically, the username on the visitor's computer is both meaningless
> and far far far too private to be handing it out arbitrarily.
>
> It's meaningless in that any user can buy a PC and set up any username
> they want on it, and your webserver has NO IDEA what that username
> means.
>
> It's far far far too private, because it's none of your business to
> know who I am when I'm surfing.
>
> If you're trying to get some kind of "one login" system going, there
> may or may not be some useful info in the ever-reappearing thread
> regarding "Active Directory" and/or LDAP.
>
> If you're trying to do something else, post whatever it is you are
> trying to do, and perhaps you'll get some help.
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
>

Re: [PHP] Authentication

[Jim Lucas]

[EMAIL PROTECTED] wrote:

Maybe this: $_SERVER['PHP_AUTH_USER']

http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server

Regards,
Carlton Whitehead

- Original Message -
From: "Dan Shirah" <[EMAIL PROTECTED]>
To: "php-general" 
Sent: Friday, July 27, 2007 1:51:51 PM (GMT-0500) America/New_York
Subject: [PHP] Authentication

All,

I looked on PHP.net but I couldn't not find anything suitable to answer my
question.

Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?

I know with some of the _SERVER functions you can pull the IP of the machine
and other data, is there a function within this family that would work?

Thanks,

Dan



This is used for http authenticated user.  not local system user

--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
   and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[cebesius]

Maybe this: $_SERVER['PHP_AUTH_USER']

http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server

Regards,
Carlton Whitehead

- Original Message -
From: "Dan Shirah" <[EMAIL PROTECTED]>
To: "php-general" 
Sent: Friday, July 27, 2007 1:51:51 PM (GMT-0500) America/New_York
Subject: [PHP] Authentication

All,

I looked on PHP.net but I couldn't not find anything suitable to answer my
question.

Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?

I know with some of the _SERVER functions you can pull the IP of the machine
and other data, is there a function within this family that would work?

Thanks,

Dan

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Nathan Nobbe]

on *.nix you could do something like

$users = explode(' ', `users`);

$users will then be an array w/ the usernames of the currently logged in
users.
user names may appear more than once, per the users documentation.

no clue or care on windows for me :)

-nathan

On 7/27/07, Dan Shirah <[EMAIL PROTECTED]> wrote:
>
> All,
>
> I looked on PHP.net but I couldn't not find anything suitable to answer my
> question.
>
> Within PHP, is there a way to pull the name of the user that is currently
> logged into the PC?
>
> I know with some of the _SERVER functions you can pull the IP of the
> machine
> and other data, is there a function within this family that would work?
>
> Thanks,
>
> Dan
>

Re: [PHP] Authentication

[Daniel Brown]

On 7/27/07, Dan Shirah <[EMAIL PROTECTED]> wrote:
> All,
>
> I looked on PHP.net but I couldn't not find anything suitable to answer my
> question.
>
> Within PHP, is there a way to pull the name of the user that is currently
> logged into the PC?
>
> I know with some of the _SERVER functions you can pull the IP of the machine
> and other data, is there a function within this family that would work?
>
> Thanks,
>
> Dan
>

I couldn't hear you at first over your away message conversations.  ;-P

I know Perl (and, inherently, PHP) has a getenv identity
REMOTE_USER (http://hoohoo.ncsa.uiuc.edu/cgi/env.html), but I haven't
had success employing it but I think I only tried it once, about
six years ago, just to see if it would work.
-- 
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication

[Dan Shirah]

All,

I looked on PHP.net but I couldn't not find anything suitable to answer my
question.

Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?

I know with some of the _SERVER functions you can pull the IP of the machine
and other data, is there a function within this family that would work?

Thanks,

Dan

Re: [PHP] authentication problem

[Richard Lynch]

On Fri, April 29, 2005 8:50 am, Yavuz S. Atmaca said:
> $sql = "SELECT user_id
> FROM tbl_auth_user
> WHERE user_id = '$userId' AND
> user_password = PASSWORD('$password')";

Did you use the PASSWORD function when you inserted your passwords, or are
they just plain-text?

SELECT * FROM tbl_auth_user;

If you see 'secret' in the user_password field, you need to do:
UPDATE tbl_auth_user SET user_password = PASSWORD(user_password) WHERE
user_id = 1;

Or whatever user_id has a clear-text user_password.

That's about the only thing I can see that could be messing you up...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication problem

[Yavuz S. Atmaca]

Hi all
I'm trying to do authentication with database. I
created the database and I inserted some usernames and
passwords into my database. By using the below file,
I'm trying to give access to the main page for the
accounts that matches the username and password. The
problem is that "it do not recognize the usernames and
password that i already inserted and it dont let me
in.
Do you see an problem with the code ort any idea?
When I modifiy that line to 0, it lets me in
 if (mysql_num_rows($result) ==0)   //--->like
that


Thanks in advance :) 

This is my form and php file--

 
 
 
Basic Login 
 
 

 
 
 
 
 
 
   
   User Id 

   
   
   Password 

   
   
     

   
 
 
 
 
--



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication fails

[John Swartzentruber]

Somehow my PHP 5.0.3 or something is configured incorrectly. When I try 
to get past an authentication input, nothing happens. For example, I 
have phpMyAdmin configured now to use mysqli, but when I enter the 
username and password, the screen doesn't change. In previous testing, I 
saw that an incorrect authentication was detected and reported, but a 
correct authentication had no affect.

My phpinfo() output is at http://john.swartzentruber.us/test.php
For example, I'm trying to use a simple file upload script called "file 
thingie" that is at http://www.solitude.dk/filethingie/download.php

I have edited the original file only to decrease the maximum file size 
to 500 bytes and limit uploads to text files. I hope no one here tries 
to be nasty. The user name is "USERNAME2" and the password is "PASSWORD".

Can anyone check this out and give me some clues or things to look into? 
Is there some setting that would cause _POST data to disappear? How 
would I go about debugging this?

Thanks for any help or pointers.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication problem...

[Christophe Chisogne]

Ali a écrit :
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
 || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) {
Better use $_SERVER['PHP_AUTH_USER'] instead of $PHP_AUTH_USER
and $_SERVER['PHP_AUTH_PW'] instead of $PHP_AUTH_PW.
Chapter 33. HTTP authentication with PHP
http://www.php.net/manual/en/features.http-auth.php
Christophe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication problem...

[Ali]

Hi there

this is a tutorial am trying to do...chk out the code..

if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
 || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) {

header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;

} else {

echo 'Success!';

}

when i tried to access the page..the dialogue box appears asking for user
name and password..and when i type the "user" and "open"...it just keeps on
asking for the user name and password rather than logging in and showing
success..Is there anything to do with the any settings in the apache or
php...am using apache 1.3.33 and php 4.3.10 on winXP pro SP1..and i have php
installed as a module...OR is there anything to do with the code

thanks...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Zareef Ahmed]

Hi  Ali,
 Visit 

http://zareef.users.phpclasses.org/browse/class/21.html

You will find a lot of code.

zareef ahmed 


On Tue, 28 Dec 2004 13:12:14 +1030, Ali <[EMAIL PROTECTED]> wrote:
> Hi everyone...
> can anyone lead me to a good tutorial on authentication...it wud be good if
> i can get a one in connection with a database..
> thnks
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


-- 
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: http://www.zareef.net

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[John Holmes]

Ali wrote:
can anyone lead me to a good tutorial on authentication...it wud be good if
i can get a one in connection with a database..
$all_good = query("SELECT valid_user FROM table");
or use Google.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication

[Ali]

Hi everyone...
can anyone lead me to a good tutorial on authentication...it wud be good if
i can get a one in connection with a database..
thnks

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication Class

[Bruno B B Magalhães]

Is this good or bad? heheh!
Regards,
Bruno B B Magalhaes
On Nov 16, 2004, at 3:31 PM, raditha dissanayake wrote:
Bruno B B Magalhães wrote:
Hi guys,
well, I wrote a class for a big project (a framework), and here it 
is,  I was wondering if someone have any suggestions regarding 
flexibility  and security.
Wow it's the most artistic piece of php i have ever seen.
--
Raditha Dissanayake.
--
http://www.radinks.com/print/card-designer/ | Card Designer Applet
http://www.radinks.com/upload/  | Drag and Drop Upload
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication Class

[raditha dissanayake]

Bruno B B Magalhães wrote:
Hi guys,
well, I wrote a class for a big project (a framework), and here it 
is,  I was wondering if someone have any suggestions regarding 
flexibility  and security.
Wow it's the most artistic piece of php i have ever seen.
--
Raditha Dissanayake.
--
http://www.radinks.com/print/card-designer/ | Card Designer Applet
http://www.radinks.com/upload/  | Drag and Drop Upload
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication Class

[Bruno B B Magalhães]

Hi guys,
well, I wrote a class for a big project (a framework), and here it is,  
I was wondering if someone have any suggestions regarding flexibility  
and security.

Course it uses specific framework classes but it's quite understable..
==
http://www.bbbm.com.br/
* @copyright 2004 Bruno B B Magalhaes
* @author Bruno B B Magalhaes <[EMAIL PROTECTED]>
* @package BBBM Framework
* @version 0.5dev
*/
class authentication
{
var $domain;

var $database;

var $authenticated = false;

var $access_section = '';
var $access_level = '0';

var $post;
var $session;
var $cookie;
	var $userid;
	var $username;
	var $password;
	var $sessionid;
	var $remember_me;
	
	var $errormsg;
	
	var $tables = array('users','usersgroups');
	
	/**
	* PHP 4 Constructor
	*/
	function authentication(&$database)
	{
		$this->database =& $database;
		$this->database->build_table($this->tables);
		$this->domain = $_SERVER['HTTP_HOST'];
	}
	
	/**
	* Start Authentication Process
	*/
	function authenticate($access_section='',$access_level=0)
	{
		if($access_level > 0)
		{
			$this->access_level	= $access_level;
			$this->access_section	= $access_section;
			
			$this->check_post();
			$this->check_session();
			$this->check_cookie();
			
			if($this->post == true)
			{
$this->auth($this->username,$this->password,$this->access_level);
			}
			elseif($this->cookie == true)
			{
$this->auth_check($this->username,$this->sessionid,$this- 
>access_level);
			}
			elseif($this->session == true)
			{
$this->auth_check($this->username,$this->sessionid,$this- 
>access_level);
			}
			else
			{
$this->authenticated = false;
			}
		}
		else
		{
			$this->authenticated = true;
		}
	}

/**
* Authentication Process
*/
function auth($username='',$password='',$accesslevel=0)
{
$query = 'SELECT
*
FROM
'.$this->database->table['users'].' AS users,
'.$this->database->table['usersgroups'].' AS 
groups
WHERE
users.userGroup=groups.groupId
AND
users.userName=\''.$username.'\'
AND
users.userPassword=\''.$password.'\'
AND
users.userStatus > \'0\'
AND
groups.groupStatus > \'0\'
LIMIT
1';
		$this->database->query($query);
		
		if($this->database->num_rows() > 0)
		{
			$this->database->fetch_array();
			
			if($this->database->row['groupLevel'] >= $accesslevel)
			{
$this->authenticated = true;

$this->userid = $this->database->row['userId'];
$this->session_write('username',$this->database->row['userName']);
$this->session_write('userlevel',$this->database- 
>row['groupLevel']);

if(isset($this->remember_me))
{
	$this->cookie_write('username',$this->database->row['userName']);
	$this->cookie_write('sessionid',session_id());
}

$update_query = 'UPDATE
			'.$this->database->table['users'].'
		 SET
			userSession=\''.session_id().'\',
			userLastvisit = NOW()
		 WHERE
			userId=\''.$this->database->row['userId'].'\'';

$this->database->query($update_query);
}
else
{
$this->logout();
$this->authenticated = false;
$this->errormsg = 'error_noaccessprivileges';
}
}
else
{
$this->logout();
$this->authenticated = false;
$this->errormsg = 'error_unauthorized';
}
}
/**
* Authentication Check Process
*/
function auth_check($username='',$sessionid='',$accesslevel=0)
{
$query = 'SELECT
users.userId,
groups.groupLevel
FROM
'.$this->database->table['users'].' AS users,
'.$this->database->table['usersgroups'].' AS 
groups
WHERE
users.userGroup=groups.groupId
AND
users.userName=\''.$username.'\'
AND
users.userSession=\''.$sessionid.'\'

Re: [PHP] authentication question

[Greg Donald]

On Tue, 2 Nov 2004 13:48:30 -0500, Kelly Meeks <[EMAIL PROTECTED]> wrote:
> I need to require username/password access  in two distinct ways.

PHP Generic Access Control Lists 

http://phpgacl.sourceforge.net/


-- 
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication question

[Kelly Meeks]

I need to require username/password access  in two distinct ways.

At one level, I need to protect all files except .php files within a
directory structure.  I can do this with htaccess using the 
directive.

I also need to serve up database driven content via username/password at
another.  I'm doing this via sessions and php.  I want the same username and
password to work for both.

I don't know how to restrict access to the non-php files with php.  Is there
a way?

If not, is there a way that the username/password info stored in the session
var can be used in conjunction with the htaccess file so if the user has
already logged in via the session system, they don't have to then enter the
same data again via http authentication?

Kelly Meeks
Right Angle, Inc.
PO Box 356
Northampton, MA 01060
413-586-4694 ext. 11

[PHP] authentication using /etc/passwd

[Adam Williams]

Hi, is there a way to authenticate a username/password someone enters in a 
form with what is in /etc/passwd?

Thanks!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication comparing to /etc/passwd

[Adam Williams]

Hi, is there a PHP function or some sort of way to have a user enter their 
username and password in a form, and compare the username and password and 
see if the username exists and the password is correct?

basically I want to have a page where a person enters their username and 
password and if correct to use the header function to send them to the a 
page.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Aproach to based PHP authentication

[Fernando M. Maresca]

Hello everybody.
I think this problem there was thousands of times in this forum, as the
archives shows, so you can freely ignore me if I bother you.
I have little auth php base that looks like:

if(cookie)
authcookie();
else if($_POST[uname] && $POST[pass])
authuser(); // and sets a cookie
else
printloginForm;

This works and a lot of sites use a similar approach, but it has two
notorious flaws:
1) need cookies (i can live with this one)
2) the browser repost $_POST variables so there is no way to set a
expiration time for the cookie, because it will be seted again, at least
until the browser were closed.

So, one of the two things need to be sacrificated: the loginForm, and
the comfortable $_POST array, or the possiblity of autmatic logoof based
on the expiration of the cookie.
What do you think will be the way to do in this situation?
Thanks everybody.

-- 

Fernando M. Maresca

Cel: (54) 221 15 502 3938
Cel: 0221-15-502-3938

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication problems!

[Scott Taylor]

Do you mean using

$file = '/protected/file.pdf';

or using an absolute path on the server?

Best Regards,

Scott

Subject:
Re: [PHP] authentication problems!
From:
"Luke" <[EMAIL PROTECTED]>
Date:
Wed, 21 Jan 2004 14:24:11 +1100
To:
[EMAIL PROTECTED]
Yeah, i think i mentioned the same thing(or was going to :/ )

you should be able to use the local filesystem, and reffer to it relatively!
and then you can stream it and you wont need any authentication, and noone
will be able to directly link to the file
-- Luke "Jason Wong" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]

On Wednesday 21 January 2004 05:49, Scott Taylor wrote:

Please trim your posts!

 

> Of course there is not problem if the user is entering the information
> him or her self.  But just using this code:
>
> $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf';
>
> //now view the PDF file
> header("Content-Type: application/pdf");
> header("Accept-Ranges: bytes");
> header("Content-Length: ".filesize($file));
> readfile($file);
>
> from a PHP page where no authentication has occured does not work at
   

all.

Did you not read my reply to your previous thread about this? Use a local
filesystem path to read the file.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
"A dirty mind is a joy forever."
-- Randy Kunkee
*/
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication problems!

[Luke]

Yeah, i think i mentioned the same thing(or was going to :/ )

you should be able to use the local filesystem, and reffer to it relatively!
and then you can stream it and you wont need any authentication, and noone
will be able to directly link to the file

-- 
Luke

"Jason Wong" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On Wednesday 21 January 2004 05:49, Scott Taylor wrote:
>
> Please trim your posts!
>
> > Of course there is not problem if the user is entering the information
> > him or her self.  But just using this code:
> >
> > $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf';
> >
> > //now view the PDF file
> > header("Content-Type: application/pdf");
> > header("Accept-Ranges: bytes");
> > header("Content-Length: ".filesize($file));
> > readfile($file);
> >
> > from a PHP page where no authentication has occured does not work at
all.
>
> Did you not read my reply to your previous thread about this? Use a local
> filesystem path to read the file.
>
> -- 
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications Development *
> --
> Search the list archives before you post
> http://marc.theaimsgroup.com/?l=php-general
> --
> /*
> "A dirty mind is a joy forever."
> -- Randy Kunkee
> */

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication problems!

[Jason Wong]

On Wednesday 21 January 2004 05:49, Scott Taylor wrote:

Please trim your posts!

> Of course there is not problem if the user is entering the information
> him or her self.  But just using this code:
>
> $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf';
>
> //now view the PDF file
> header("Content-Type: application/pdf");
> header("Accept-Ranges: bytes");
> header("Content-Length: ".filesize($file));
> readfile($file);
>
> from a PHP page where no authentication has occured does not work at all.

Did you not read my reply to your previous thread about this? Use a local 
filesystem path to read the file.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
"A dirty mind is a joy forever."
-- Randy Kunkee
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication problems!

[Scott Taylor]

by "using HTML" I meant, typing the address in to the broswer as 
http://username:[EMAIL PROTECTED]/protected/file.pdf or as using the 
HTML: http://username:[EMAIL PROTECTED]/protected/file.pdf">Link... 
or using the header:  header("Location: 
http://username:[EMAIL PROTECTED]/protected/file.pdf");

>also, there is no problem retrieving a pdf after passing http basic 
authentication (I just double checked this on a client's site and was 
appropriately prompted with a pdf handling dialog box after I 
authenticated).

Of course there is not problem if the user is entering the information 
him or her self.  But just using this code:

   $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf';
  
   //now view the PDF file
   header("Content-Type: application/pdf");
   header("Accept-Ranges: bytes");
   header("Content-Length: ".filesize($file));
   readfile($file);   

from a PHP page where no authentication has occured does not work at all.

Let me say, if this is not clear, that I do not want unique usernames 
and passwords for users.  I want one username and password that WILL 
NEVER BE SEEN by the user. 

The way that I had planned was to keep ONE username and password which 
would allow access to all the files in a MySql database.  After the user 
entered his name and email address, the username and password would be 
fetched off the database, and then authentication would occur with this 
username and password and the user would be served the file.  The 
authentication would be completely transparent to the user.  But the 
different ways to authenticate transparent to the user either do not 
work or reveal the username and password (making it pointless to even 
protect the files in the first place).

Best Regards,

Scott Taylor



[EMAIL PROTECTED] wrote:

there are a couple of different ways to do this.

the "http basic" approach will work just fine.  with http basic the 
id/pw are passed in the headers in an encoded string, so i'm not 
certain about your:

 if using HTML, the username & password is easily seen

statement.

also, there is no problem retrieving a pdf after passing http basic 
authentication (I just double checked this on a client's site and was 
appropriately prompted with a pdf handling dialog box after I 
authenticated).

now, http basic assumes that the id/pw are in a file/database/etc. the 
password is generally encrypted (des or md5) but can be in clear text. 
so, for this to work, you'd probably need some type of registration 
page that will store the id/pw info that the apache server will query 
against. [i strongly recommend using a database, not a file, due to 
file locking issues.]

other approaches to this general issue include a URL mapping scheme. 
e.g., the public URL would drive the user through a one-time 
email/name collection process. when the user passes that they are 
served the document from the actual storage location. they can be done 
in a way that the true document URL is never shown.  obviously you'd 
have to do this in a way that would give the fake URL as a .pdf so 
that the client will handle things correctly.



-- Original Message --

From: Scott Taylor <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tuesday, January 20, 2004 03:17:21 PM -0500
Subject: [PHP] authentication problems!
I am about at my wits end trying to find a good solution to this
problem.  I've asked various portions of this question to this mail list
and still have not found exactly what it is I am looking for, but here
it goes.
I'm looking for a way to protect my files (this would be pdf files,
image files, etc...other things then text/php files) so that for someone
to see a current file they will have to enter in their email address and
name.  Seems fairly simple, and yet I can not figure out how to do it.
I've been told of the following alternatives:
Protect the files with HTTP auth (basic, or use SSL if very paranoid),
then, after entering the info into a database:
1. just link to http://username:[EMAIL PROTECTED]/protect/file.pdf
(either directly using html, or use headers).  The problem:  if using
HTML, the username & password is easily seen.  If using headers, this
does not work (it is not seen as a PDF file) - my best guess is that the
auth headers get passed along and so it does not work.  Of course, I can
load a PDF using headers if the file is not in a protected directory
without any problems at all.  But then again it wouldn't be protected to
begin with.
1.b. It was later suggested that I could link to
http://username:[EMAIL PROTECTED]/protect/file.pdf and use an apache
rewrite statement to change every protected file to exclude the username
& password. But I've posted to an apache group and they have said that
this CAN NOT be done.
2.  link to something o

[PHP] authentication problems!

[Scott Taylor]

I am about at my wits end trying to find a good solution to this 
problem.  I've asked various portions of this question to this mail list 
and still have not found exactly what it is I am looking for, but here 
it goes.

I'm looking for a way to protect my files (this would be pdf files, 
image files, etc...other things then text/php files) so that for someone 
to see a current file they will have to enter in their email address and 
name.  Seems fairly simple, and yet I can not figure out how to do it.  
I've been told of the following alternatives:

Protect the files with HTTP auth (basic, or use SSL if very paranoid), 
then, after entering the info into a database:

1. just link to http://username:[EMAIL PROTECTED]/protect/file.pdf 
(either directly using html, or use headers).  The problem:  if using 
HTML, the username & password is easily seen.  If using headers, this 
does not work (it is not seen as a PDF file) - my best guess is that the 
auth headers get passed along and so it does not work.  Of course, I can 
load a PDF using headers if the file is not in a protected directory 
without any problems at all.  But then again it wouldn't be protected to 
begin with.

1.b. It was later suggested that I could link to 
http://username:[EMAIL PROTECTED]/protect/file.pdf and use an apache 
rewrite statement to change every protected file to exclude the username 
& password. But I've posted to an apache group and they have said that 
this CAN NOT be done.

2.  link to something outside of my httpdocs directory.  Unfortunately, 
I am on a shared server and do not have a private folder (or at least my 
_private directory which is contained with httpdocs will not work - I 
get the same problem that I do with authentication - it does not 
recognize the file as a PDF at all).

3.  use a prebuilt class (such as snoopy or Emanuel Lemos).  This looks 
as though it is the only option available to me at this time, but It 
doesn't look as though it as a good one as it will add a lot of code to 
something that seems as though it should be VERY simple, and it means 
that I will have to go through the documentation to use this.

If anyone has any ideas it will be much appreciated.

Scott Taylor

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Authentication

[Robert Sossomon]

Duh, OK, Now I REALLY feel stupid.  With the current setup using the
.htaccess files and everything I have in place all I needed to do was
get the information from: $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW']. I kept thinking I had to use PHP to set those
values.  Thanks guys!!  Works like a charm now!

Robert
(still learning PHP)..  :)
~~~
Creditors have better memories than debtors. 
~~~

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Authentication

[Chris Shiflett]

--- Robert Sossomon <[EMAIL PROTECTED]> wrote:
> I am not trying to authenticate off of a database though. I have
> scripts that automatically modify the .htaccess file as I change a
> user, so I need to authenticate off the .htaccess file and store
> the users information into a cookie. I think from the cookie I can
> do everything else, just not sure how to get the information from
> the browser to show me the user of the page.

I'm not sure I understand, but you can get the username and password used
in the HTTP authentication from these two variables:

$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']

Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
 Coming mid-2004
HTTP Developer's Handbook
 http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Justin Patrin]

Robert Sossomon wrote:

I am not trying to authenticate off of a database though.  I have
scripts that automatically modify the .htaccess file as I change a user,
so I need to authenticate off the .htaccess file and store the users
information into a cookie.  I think from the cookie I can do everything
else, just not sure how to get the information from the browser to show
me the user of the page.
~~~
"I am a quick leaner, dependable, and motivated."
-Real live resume statement 
~~~

-Original Message-
From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 16, 2003 11:53 AM
To: Robert Sossomon; [EMAIL PROTECTED]
Subject: Re: [PHP] Authentication

--- Robert Sossomon <[EMAIL PROTECTED]> wrote:

I currently use a .htaccess file for users to login, and now I need to


make some changes to how the site works.

I need to be able to have the users login, and once that is done the 
login needs to be used to pass through the database.


Search PEAR (http://pear.php.net/), because I'm pretty sure there are
aome authentication classes that let you use a database to store the
access credentials.
Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
 Coming mid-2004
HTTP Developer's Handbook
 http://httphandbook.org/
Well, you could use PEAR::Auth to do these things without having to 
write to a .htaccess file (That's a potential security risk).

Then answer to your question is $_SERVER['PHP_AUTH_USER']. That variable 
will give you the currently logged in user. $_SERVER['PHP_AUTH_PW'] is 
the password.

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Authentication

[Robert Sossomon]

I am not trying to authenticate off of a database though.  I have
scripts that automatically modify the .htaccess file as I change a user,
so I need to authenticate off the .htaccess file and store the users
information into a cookie.  I think from the cookie I can do everything
else, just not sure how to get the information from the browser to show
me the user of the page.

~~~
"I am a quick leaner, dependable, and motivated."

-Real live resume statement 
~~~

-Original Message-
From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 16, 2003 11:53 AM
To: Robert Sossomon; [EMAIL PROTECTED]
Subject: Re: [PHP] Authentication


--- Robert Sossomon <[EMAIL PROTECTED]> wrote:
> I currently use a .htaccess file for users to login, and now I need to

> make some changes to how the site works.
> 
> I need to be able to have the users login, and once that is done the 
> login needs to be used to pass through the database.

Search PEAR (http://pear.php.net/), because I'm pretty sure there are
aome authentication classes that let you use a database to store the
access credentials.

Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
 Coming mid-2004
HTTP Developer's Handbook
 http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Chris Shiflett]

--- Robert Sossomon <[EMAIL PROTECTED]> wrote:
> I currently use a .htaccess file for users to login, and now I need
> to make some changes to how the site works.
> 
> I need to be able to have the users login, and once that is done the
> login needs to be used to pass through the database.

Search PEAR (http://pear.php.net/), because I'm pretty sure there are aome
authentication classes that let you use a database to store the access
credentials.

Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
 Coming mid-2004
HTTP Developer's Handbook
 http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication

[Robert Sossomon]

I currently use a .htaccess file for users to login, and now I need to
make some changes to how the site works.

I need to be able to have the users login, and once that is done the
login needs to be used to pass through the database.  And to pull files
from a directory as nobody seems to listen when I tell them no emailing
files over 1.5 MB in size and so files the users need are not able to be
downloaded or used.

Code samples would be great, or links to pages or both...

I am looking at something like:

1. User logs in
2. Main page shows: $name click here for your files
3. clicking link provides /$name/files directory listing (how do I do
this in PHP??)
4. When going to a quote system -> $name is passed through the database
to get the list of customers for them.

TIA!

Robert 

~~~
A Diplomat is some one who can tell you to go to hell and make you feel
happy to be on your way.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] apache httpd + PHP authentication

[news.php.net]

Chris Shiflett wrote:

A "parser" is called every time a page is accessed. If no page is 
defined, the home page is loaded. Subsequent pages are linked with
http://dictionary.reference.com/search?q=parser

  Very amusing.
  Okay, "dispatcher" would probably be a better name. It preps the 
environment before including the page's code.

Is there a way to use a parser as above and still have httpd 
recognize the need for a name/password?
I'm sure there are many ways. You could check for the .htaccess yourself before
including the file, and require HTTP authentication where appropriate. What you
can't do, however, is presume that you can write a script that handles requests
instead of Apache and magically have your code do everything Apache does.
  I do *NOT* want to duplicate the httpd functionality, I want to 
preserve it.

--
jimoe at sohnen-moe dot com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] apache httpd + PHP authentication

[Chris Shiflett]

--- "news.php.net" <[EMAIL PROTECTED]> wrote:
> I have a web page I wish to restrict access. I prefer to use the 
> standard apache httpd authentication with .htaccess and password
> file. This method does not seem to work with PHP.

This method is independent of the type of resource being used, so it works fine
with PHP.

> A "parser" is called every time a page is accessed. If no page is 
> defined, the home page is loaded. Subsequent pages are linked with
> URLs like "http://mysite.com/?page=nextpage.php";. In the parser I
> define a "base_dir" variable that allows access to a common set of
> code files regardless of where the page file is.

Please read this:

http://dictionary.reference.com/search?q=parser

I think I understand what you mean, but an improper use of terms can cause
confusion.

> So the restricted page is in a subdirectory with a .htaccess file to 
> indicate that a name/password is required. This is ignored,
> presumably because the file is include()'d.

That's right. The .htaccess is for Apache. If this resource is served directly
(e.g., the URL references it instead of your "parser"), Apache will require the
proper username/password.

> Is there a way to use a parser as above and still have httpd 
> recognize the need for a name/password?

I'm sure there are many ways. You could check for the .htaccess yourself before
including the file, and require HTTP authentication where appropriate. What you
can't do, however, is presume that you can write a script that handles requests
instead of Apache and magically have your code do everything Apache does.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] apache httpd + PHP authentication

[news.php.net]

Hello,
  httpd v1.3.27, php v4.3.0.
  I have a web page I wish to restrict access. I prefer to use the 
standard apache httpd authentication with .htaccess and password file. 
This method does not seem to work with PHP.
  A "parser" is called every time a page is accessed. If no page is 
defined, the home page is loaded. Subsequent pages are linked with URLs 
like "http://mysite.com/?page=nextpage.php";. In the parser I define a 
"base_dir" variable that allows access to a common set of code files 
regardless of where the page file is. The complete parser is:

  require('./php/lib/base-dir.inc');// Assigns $base_dir
  $page = $_REQUEST['page'];
  if ("" == $page)
$page = "main-index.php";
  include($base_dir . $page);
  So the restricted page is in a subdirectory with a .htaccess file to 
indicate that a name/password is required. This is ignored, presumably 
because the file is include()'d.
  I have looked at the authentication info in the docs. I have to do 
all the work of verifying the name/password. I do not wish to do so 
since an satisfactory method already exists.
  Is there a way to use a parser as above and still have httpd 
recognize the need for a name/password?

--
jimoe at sohnen-moe dot com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication variable

[Curt Zirzow]

* Thus wrote BhongOng ([EMAIL PROTECTED]):
> Hi,
> 
> I have some questions. Is it possible to pass login data such
> as username and password to the HTTP Basic Authentication
> dialog box from PHP? How do you code that?

I know for sure with Basic authentication you can't.

> 
> Is it also possible to get the variable data from the Authentication
> dialog once login? I tried putting phpinfo() in an index.php page inside
> the web protected directory but I can only see the username in the
> variables..

Answers to this and probably other questions that might come up
about authentication:

  http://php.net/features.http-auth



Curt
-- 
"I used to think I was indecisive, but now I'm not so sure."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication variable

[BhongOng]

Hi,

I have some questions. Is it possible to pass login data such
as username and password to the HTTP Basic Authentication
dialog box from PHP? How do you code that?

Is it also possible to get the variable data from the Authentication
dialog once login? I tried putting phpinfo() in an index.php page inside
the web protected directory but I can only see the username in the
variables..



Calixto Ong II

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication system

[Justin French]

Doug,

On Thursday, July 3, 2003, at 05:42  AM, Doug Essinger-Hileman wrote:

Now I need to learn how to take the incoming message and process it.
I am assuming that the processing can be done by php. Any
suggestions, either on how to do this, or where I might learn how to
do this?
The simple version of this is to say:

"
please click on this link to confirm your membership
http://domain/activate.php?id=123&confirmCode=lkj23hkjtq
"
In other words, they're activating via a URL, rather than replying to 
an email... it's a lot more portable than reading emails or pushing 
emails to command line PHP scripts.

You need the random code (which should be generated upon registration, 
and kept track of in relation to the userid) to make sure people don't 
automate the process of confirming.

Cheers,
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication system

[olinux]

there's a good example in this article

A Complete, Secure User Login System
by Tim Perdue
http://www.phpbuilder.com/columns/tim2505.php3


olinux


> On 2 Jul 2003 at 13:00, Mike Migurski wrote:
> 
> > You may find it easier to include, in the e-mail,
> a
> > uniquely-generated, limited-time URL that the
> person can visit to
> > verify that they have received the e-mail. This
> will remove the burden
> > of having to set up a system that responds to
> e-mail commands.
> 
> Thanks, Mike. I think my brain is working undertime
> at the moment. 
> Can you give me an example? (Or point me in the
> direction of one?)
> 
> Doug

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication system

[Doug Essinger-Hileman]

On 2 Jul 2003 at 13:00, Mike Migurski wrote:

> You may find it easier to include, in the e-mail, a
> uniquely-generated, limited-time URL that the person can visit to
> verify that they have received the e-mail. This will remove the burden
> of having to set up a system that responds to e-mail commands.

Thanks, Mike. I think my brain is working undertime at the moment. 
Can you give me an example? (Or point me in the direction of one?)

Doug


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication system

[Mike Migurski]

>At the point where they fill out the registration form, I am sending them
>an email, informing them that they have been registered. On many sites
>I've gone to, the process then includes a requirement that the person
>reply to the message.
>
>Now I need to learn how to take the incoming message and process it.  I
>am assuming that the processing can be done by php. Any suggestions,
>either on how to do this, or where I might learn how to do this?

You may find it easier to include, in the e-mail, a uniquely-generated,
limited-time URL that the person can visit to verify that they have
received the e-mail. This will remove the burden of having to set up a
system that responds to e-mail commands.

-
michal migurski- contact info and pgp key:
sf/cahttp://mike.teczno.com/contact.html


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication system

[Doug Essinger-Hileman]

I am in the process of scripting a site which requires 
authentication. I've no problems with the scripts allowing folk to 
register, login, logout, change password, etc. However, this morning 
I've begun to work on providing some "security" in the form of 
preventing someone from registering as another person.

This site will be limited to those who are members of a particular 
electronic (religious) community. I want to be able to verify that 
the person registering as "George Fox", for instance, is George Fox. 
At the point where they fill out the registration form, I am sending 
them an email, informing them that they have been registered. On many 
sites I've gone to, the process then includes a requirement that the 
person reply to the message.

Now I need to learn how to take the incoming message and process it. 
I am assuming that the processing can be done by php. Any 
suggestions, either on how to do this, or where I might learn how to 
do this?

Doug


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication: Addressing the user variable

[Jason End]

I'm using LDAP to authenticate my users. login.php and
any script that requires authentication start off with
the following code:
--
session_start();
if (session_is_registered("valid_user")) {
header( "Location: admin.php" );
--

The ldap binds as such:
ldap_bind($ds,
"uid=$uid,ou=people,dc=server,dc=domain,dc=dom",
$passw);

What I want is to be able to display AND use the $uid
throughout the other scripts.
How can I do this?

thanks,

Jay

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Erik Price]

Beauford.2002 wrote:
I am looking for a simple authentication script that uses MySQL. I have
downloaded about 10 of them (most with no instructions on it's use), but
even at that they are not what I need.
The PEAR project has 7 different authentication packages, including Auth 
which I understand lets you design your own.  PEAR code tends to be 
widely used and well-tested.  Also there is a mailing list similar to 
this one dedicated to discussion of and support for PEAR projects.

http://pear.php.net/packages.php?catpid=1&catname=Authentication

When you go to the main page of my site it will ask you to login or signup.
So I want to be able to authenticate the user if he logs in (not to much of
a problem here, but I want to protect all pages (I don't want to use cookies
as not everyone has these enabled). What other options do I have? If anyone
knows a small script that can be modified, or point me in the right
direction of how to do this, it would be appreciated.
If you really want to reinvent the wheel, write an include file that is 
included onto every page of your site except your login page and the 
ones that you don't need to protect.  This include file should check for 
a flag that indicates whether or not the user is logged in.  If the user 
is not logged in, send a redirect header to the login page followed 
immediately by an exit() call.  This way none of your scripts will be 
accessible without the user being logged in.  To handle the login, the 
simple way to do it is to accept a username and password input from the 
user on the login screen and ship these to the database or wherever your 
user list is kept and test to see if they are valid.  If they are valid, 
set the flag in the user's session indicating that they are logged in 
(which is checked by the include file).  For maximum security, use SSL 
and beware the possibility of session hijacking.  If you don't want to 
use cookies, you can either embed the SID in all hyperlinks of your site 
or just recompile PHP with the --enable-trans-sid flag (unless you're on 
PHP 4.2 or greater).

Erik

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication

[Beauford.2002]

Hi,

I am looking for a simple authentication script that uses MySQL. I have
downloaded about 10 of them (most with no instructions on it's use), but
even at that they are not what I need.

When you go to the main page of my site it will ask you to login or signup.
So I want to be able to authenticate the user if he logs in (not to much of
a problem here, but I want to protect all pages (I don't want to use cookies
as not everyone has these enabled). What other options do I have? If anyone
knows a small script that can be modified, or point me in the right
direction of how to do this, it would be appreciated.

Thanks



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication question...

[Ernest E Vogelsinger]

At 07:02 02.03.2003, Sunfire said:
[snip]
>basic question about www-authenticate header...(least i hop its simple)
>i have the code:
>header("WWW-Authenticate: basic realm='a realm'");
>header("HTTP/1.0 402 Unauthorized");//dont understand
>//what this line does
>echo "you didnt login yet\n"; //understand it but want
>//something else like a header sent out...
>dont understand what the second line is for and was wondering if that third
>line that someone gets when you hit cancel can be turned into another
>header? or is there a way to force a header block even if output has already
>been put on the screen?
[snip] 

To understand the header lines you need to have some basic knowledge of the
HTTP protocol. Start eating tht HTTP RFC:
http://www.w3.org/Protocols/rfc2616/rfc2616

This will also enlighten yo about the fact that a header cannot be senz
after content has been pushed out.

This said you can use output buffering
(http://www.php.net/manual/en/function.ob-start.php) to avoid output being
sent before the headers:

Example:

ob_start();
echo "some stuff";

// we decide to redirect the client
ob_end_clean();  // clear the output buffer
header('Location: http://somewhere.com');

HTH,

-- 
   >O Ernest E. Vogelsinger
   (\)ICQ #13394035
^ http://www.vogelsinger.at/



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication question...

[Sunfire]

hi
basic question about www-authenticate header...(least i hop its simple)
i have the code:
http://www.grisoft.com).
Version: 6.0.458 / Virus Database: 257 - Release Date: 2/24/2003


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication headers....

[Sunfire]

how would you show a header message or basically force apache to show an
error page of its own like 401 if someone hits cancle on the php auth header
function?

and i have a line like:
header("WWW-Authenticate: basic realm='a realm name'");
//i know what that means look at next line...
header("HTTP/1.0 401 Unathorized");
//what does that line do since the first one is the login box
//dont know what the second one is for
//and third line:
echo "stuff to print on screen if person hits cancle...

so was wondering how would i use a header on the cancle part and what does
the header with unathorized mean






---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.458 / Virus Database: 257 - Release Date: 2/24/2003


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] authentication problem

[Daniel Masson]

Is it the Win IIS authentication system ??? or apache .htaccess 



Daniel E Massón.
Ingeniero de desarrollo
[EMAIL PROTECTED]

Imagine S.A. 
Su Aliado Efectivo en Internet
www.imagine.com.co
(57 1)2182064 - (57 1)6163218
Bogotá - Colombia 

- Soluciones web para Internet e Intranet
- Soluciones para redes
- Licenciamiento de Software
- Asesoría y Soporte Técnico

 

-Mensaje original-
De: Oliver Witt [mailto:[EMAIL PROTECTED] 
Enviado el: viernes, 28 de febrero de 2003 10:44
Para: [EMAIL PROTECTED]
Asunto: [PHP] authentication problem

Hi again,
My problem was about authentication without the default popup, but with
a form that submits the credentials. I still didn't get it to work, so
I'd like to know if anyone has ever done anything like that. I just
can't get it to work right and I'd like to see a working script
thx,
Oliver


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication problem

[Oliver Witt]

Hi again,
My problem was about authentication without the default popup, but with
a form that submits the credentials. I still didn't get it to work, so
I'd like to know if anyone has ever done anything like that. I just
can't get it to work right and I'd like to see a working script
thx,
Oliver


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Goetz Lohmann]

Goetz Lohmann schrieb:
> [EMAIL PROTECTED] schrieb:
> 
>>I don't think the process is an extra step at all. In fact, it's just a
>>trade off using one or the other. You can either login using php and a
>>database backend or just authenticate using .htaccess directives.
>>
> 
> 
> 
> 
>>On Mon, 3 Feb 2003, Chris Shiflett wrote:
>>
>>
>>
There is a way to supposedly do this by authenticating
a username and password through php first through such
methods as database lookups and then passing the
username and password through $PHP_AUTH_USER and
$PHP_AUTH_PW using the header() command to point to the
URL of the .htaccess protected directory but I have
never gotten it to work myself.
>>>
>>>The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available
>>>to you when the user authenticates via HTTP basic
>>>authentication. Thus, the user has already had to type in
>>>the username and password into a separate window, which is
>>>what the original poster is trying to avoid.
>>>
>>>To then send the user to another URL and supply the
>>>authentication credentials in the URL itself just creates
>>>an unnecessary step.
>>>
>>>
> 
> 
> 
> In fact you could combine .htaccess AND $PHP_AUTH cause its
> all depending on apache. Apache is looking for the variables
> AUTH_USER and AUTH_PW ... not PHP ... PHP just send this via
> header() and the Apache result is copyd to PHP_AUTH.
> 
> That way you could use an PHP file to build the login page
> and an .htacces file to define the restrictions
> 
> use something like
> 
> 
>   require valid-user
> 
> 
> to restrict access to the specified files and note that the
> data of the .htpasswd must be the same as the user/password
> definitions of the database. Maybe you might use mod_auth_db
> instead of mod_auth.
> With  instead of  you only protect files
> not the way/method how to get them. With the line above
> all .html files are protected and .php files are not.
> In combination with  you could also make a
> special definition range ...
> 
> you only have to beware of the MD5 password ... use
> 
>$password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2));
> ?>
> 
> to generate a password valid for an .htacces file


maybe take a look at

http://www.diegonet.com/support/mod_auth_mysql.shtml

;-)


-- 
 @  Goetz Lohmann, Germany   |   Web-Developer & Sys-Admin
\/  --
()  He's the fellow that people wonder what he does and
||  why the company needs him, until he goes on vacation.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Goetz Lohmann]

[EMAIL PROTECTED] schrieb:
> I don't think the process is an extra step at all. In fact, it's just a
> trade off using one or the other. You can either login using php and a
> database backend or just authenticate using .htaccess directives.
> 



> On Mon, 3 Feb 2003, Chris Shiflett wrote:
> 
> 
>>>There is a way to supposedly do this by authenticating
>>>a username and password through php first through such
>>>methods as database lookups and then passing the
>>>username and password through $PHP_AUTH_USER and
>>>$PHP_AUTH_PW using the header() command to point to the
>>>URL of the .htaccess protected directory but I have
>>>never gotten it to work myself.
>>
>>The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available
>>to you when the user authenticates via HTTP basic
>>authentication. Thus, the user has already had to type in
>>the username and password into a separate window, which is
>>what the original poster is trying to avoid.
>>
>>To then send the user to another URL and supply the
>>authentication credentials in the URL itself just creates
>>an unnecessary step.
>>
>>


In fact you could combine .htaccess AND $PHP_AUTH cause its
all depending on apache. Apache is looking for the variables
AUTH_USER and AUTH_PW ... not PHP ... PHP just send this via
header() and the Apache result is copyd to PHP_AUTH.

That way you could use an PHP file to build the login page
and an .htacces file to define the restrictions

use something like


  require valid-user


to restrict access to the specified files and note that the
data of the .htpasswd must be the same as the user/password
definitions of the database. Maybe you might use mod_auth_db
instead of mod_auth.
With  instead of  you only protect files
not the way/method how to get them. With the line above
all .html files are protected and .php files are not.
In combination with  you could also make a
special definition range ...

you only have to beware of the MD5 password ... use



to generate a password valid for an .htacces file



-- 
 @  Goetz Lohmann, Germany   |   Web-Developer & Sys-Admin
\/  --
()  He's the fellow that people wonder what he does and
||  why the company needs him, until he goes on vacation.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[ed]

I don't think the process is an extra step at all. In fact, it's just a
trade off using one or the other. You can either login using php and a
database backend or just authenticate using .htaccess directives.

In my case (a few months back) what I was trying to do was offer up a
single login page for 500 or so different companies each having their own
directory on my server. Each directory is password protected via
.htaccess. They would all login using my php interface which would in turn
check the username and password for matching. Their database record would
also contain the URL to their directory on my server. After logging in I
tried to use a header call containing the username, password and URL but
it never quite worked although you can actually do it in the address bar
of the browser with ease. Theoretically it should work like a charm but I
never got the chance to investigate any further because I was rushed off
to the next "Big Project."

Ed



On Mon, 3 Feb 2003, Chris Shiflett wrote:

> > There is a way to supposedly do this by authenticating
> > a username and password through php first through such
> > methods as database lookups and then passing the
> > username and password through $PHP_AUTH_USER and
> > $PHP_AUTH_PW using the header() command to point to the
> > URL of the .htaccess protected directory but I have
> > never gotten it to work myself.
> 
> The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available
> to you when the user authenticates via HTTP basic
> authentication. Thus, the user has already had to type in
> the username and password into a separate window, which is
> what the original poster is trying to avoid.
> 
> To then send the user to another URL and supply the
> authentication credentials in the URL itself just creates
> an unnecessary step.
> 
> > There isnt any PHP pages directed towards teh directory
> > itself. Its is just a hard link to the protected areas. 
> > Are there any functions that support it?
> >
> > Im googling now ;)
> 
> I'm still having a bit of trouble interpreting your
> question, so Google might have a hard time, too. :-)
> 
> If you are protecting static resources such as images and 
> HTML files with your Web server currently, the only way to
> protect these with PHP is to store them outside of the
> document root (so that your Web server cannot serve them
> directly) and serve them with PHP (using
> header("Content-Type: whatever")) once you have determined
> whether the user should be allowed to access the particular
> resource.
> 
> Hopefully that can help refine your search.
> 
> Chris
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Philip Olson]

Read this:
  http://www.php.net/features.http-auth

Regards,
Philip


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Chris Shiflett]

> There is a way to supposedly do this by authenticating
> a username and password through php first through such
> methods as database lookups and then passing the
> username and password through $PHP_AUTH_USER and
> $PHP_AUTH_PW using the header() command to point to the
> URL of the .htaccess protected directory but I have
> never gotten it to work myself.

The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available
to you when the user authenticates via HTTP basic
authentication. Thus, the user has already had to type in
the username and password into a separate window, which is
what the original poster is trying to avoid.

To then send the user to another URL and supply the
authentication credentials in the URL itself just creates
an unnecessary step.

> There isnt any PHP pages directed towards teh directory
> itself. Its is just a hard link to the protected areas. 
> Are there any functions that support it?
>
> Im googling now ;)

I'm still having a bit of trouble interpreting your
question, so Google might have a hard time, too. :-)

If you are protecting static resources such as images and 
HTML files with your Web server currently, the only way to
protect these with PHP is to store them outside of the
document root (so that your Web server cannot serve them
directly) and serve them with PHP (using
header("Content-Type: whatever")) once you have determined
whether the user should be allowed to access the particular
resource.

Hopefully that can help refine your search.

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[ed]

I'm sorry the line should have been...

header("Location:http://$PHP_AUTH_USER:$[EMAIL PROTECTED]";);

Ed


On Mon, 3 Feb 2003 [EMAIL PROTECTED] wrote:

> 
> There is a way to supposedly do this by authenticating a username and
> password through php first through such methods as database lookups and
> then passing the username and password through $PHP_AUTH_USER and
> $PHP_AUTH_PW using the header() command to point to the URL of the
> .htaccess protected directory but I have never gotten it to work myself. 
> 
> if ($pass = $pass) {
> 
> header("Location:$PHP_AUTH_USER:$PHP_AUTH_PW@http://www.someprotectedsite.com";);
> 
> }
> 
> My command above my be wrong. I haven't tried it for a while. I know you
> can do such a thing on the Address bar of any browser and pass it that way
> though.
> 
> Ed
> 
> 
> On Mon, 3 Feb 2003, Chris Winters wrote:
> 
> > Chris,
> > 
> > Exactly. I am relying on the webserver to provide the restrictions.
> > 
> > Now my next question:
> > what functions should I utilize or come close to to do it? There isnt any
> > PHP pages directed towards teh directory itself. Its is just a hard link to
> > the protected areas. Are there any functions that support it?
> > 
> > Im googling now ;)
> > 
> > Thanks for your answers in advanced and previously.
> > Chris
> > 
> > "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > --- Chris Winters <[EMAIL PROTECTED]> wrote:
> > > > So, if one was to protect a directory or folder, a
> > > > regular dialog will appear for username and passcode
> > > > prompt within the web browser. I was researching some
> > > > variables that I came across which is called
> > > > $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.
> > >
> > > Yes, these variables deal with HTTP basic authentication.
> > >
> > > > I would like to by pass that by a user entering the
> > > > username and passcode via HTML, instead of the dialog
> > > > showing.
> > >
> > > In that case, you will want to do exactly as you say,
> > > collect the username and password via an HTML form and
> > > authenticate the credentials with PHP. It sounds like you
> > > are currently relying on your Web server to provide the
> > > access restrictions.
> > >
> > > So, you can either:
> > >
> > > 1. Keep HTTP basic authentication enabled in the Web server
> > > for these directories and live with the behavior.
> > > 2. Turn off HTTP basic authentication in the Web server and
> > > write a login page in PHP. It is then up to you to control
> > > access to whatever resources you want to protect, so this
> > > will require a bit of work on your part.
> > >
> > > Hope that helps.
> > >
> > > Chris
> > 
> > 
> > 
> > -- 
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> > 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[ed]

There is a way to supposedly do this by authenticating a username and
password through php first through such methods as database lookups and
then passing the username and password through $PHP_AUTH_USER and
$PHP_AUTH_PW using the header() command to point to the URL of the
.htaccess protected directory but I have never gotten it to work myself. 

if ($pass = $pass) {

header("Location:$PHP_AUTH_USER:$PHP_AUTH_PW@http://www.someprotectedsite.com";);

}

My command above my be wrong. I haven't tried it for a while. I know you
can do such a thing on the Address bar of any browser and pass it that way
though.

Ed


On Mon, 3 Feb 2003, Chris Winters wrote:

> Chris,
> 
> Exactly. I am relying on the webserver to provide the restrictions.
> 
> Now my next question:
> what functions should I utilize or come close to to do it? There isnt any
> PHP pages directed towards teh directory itself. Its is just a hard link to
> the protected areas. Are there any functions that support it?
> 
> Im googling now ;)
> 
> Thanks for your answers in advanced and previously.
> Chris
> 
> "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > --- Chris Winters <[EMAIL PROTECTED]> wrote:
> > > So, if one was to protect a directory or folder, a
> > > regular dialog will appear for username and passcode
> > > prompt within the web browser. I was researching some
> > > variables that I came across which is called
> > > $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.
> >
> > Yes, these variables deal with HTTP basic authentication.
> >
> > > I would like to by pass that by a user entering the
> > > username and passcode via HTML, instead of the dialog
> > > showing.
> >
> > In that case, you will want to do exactly as you say,
> > collect the username and password via an HTML form and
> > authenticate the credentials with PHP. It sounds like you
> > are currently relying on your Web server to provide the
> > access restrictions.
> >
> > So, you can either:
> >
> > 1. Keep HTTP basic authentication enabled in the Web server
> > for these directories and live with the behavior.
> > 2. Turn off HTTP basic authentication in the Web server and
> > write a login page in PHP. It is then up to you to control
> > access to whatever resources you want to protect, so this
> > will require a bit of work on your part.
> >
> > Hope that helps.
> >
> > Chris
> 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Chris Winters]

Chris,

Exactly. I am relying on the webserver to provide the restrictions.

Now my next question:
what functions should I utilize or come close to to do it? There isnt any
PHP pages directed towards teh directory itself. Its is just a hard link to
the protected areas. Are there any functions that support it?

Im googling now ;)

Thanks for your answers in advanced and previously.
Chris

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Chris Winters <[EMAIL PROTECTED]> wrote:
> > So, if one was to protect a directory or folder, a
> > regular dialog will appear for username and passcode
> > prompt within the web browser. I was researching some
> > variables that I came across which is called
> > $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.
>
> Yes, these variables deal with HTTP basic authentication.
>
> > I would like to by pass that by a user entering the
> > username and passcode via HTML, instead of the dialog
> > showing.
>
> In that case, you will want to do exactly as you say,
> collect the username and password via an HTML form and
> authenticate the credentials with PHP. It sounds like you
> are currently relying on your Web server to provide the
> access restrictions.
>
> So, you can either:
>
> 1. Keep HTTP basic authentication enabled in the Web server
> for these directories and live with the behavior.
> 2. Turn off HTTP basic authentication in the Web server and
> write a login page in PHP. It is then up to you to control
> access to whatever resources you want to protect, so this
> will require a bit of work on your part.
>
> Hope that helps.
>
> Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Chris Shiflett]

--- Chris Winters <[EMAIL PROTECTED]> wrote:
> So, if one was to protect a directory or folder, a
> regular dialog will appear for username and passcode
> prompt within the web browser. I was researching some
> variables that I came across which is called
> $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.

Yes, these variables deal with HTTP basic authentication.

> I would like to by pass that by a user entering the
> username and passcode via HTML, instead of the dialog
> showing.

In that case, you will want to do exactly as you say,
collect the username and password via an HTML form and
authenticate the credentials with PHP. It sounds like you
are currently relying on your Web server to provide the
access restrictions.

So, you can either:

1. Keep HTTP basic authentication enabled in the Web server
for these directories and live with the behavior.
2. Turn off HTTP basic authentication in the Web server and
write a login page in PHP. It is then up to you to control
access to whatever resources you want to protect, so this
will require a bit of work on your part.

Hope that helps.

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Chris Winters]

Sorry about that.

What I meant was for example, sometimes I come across protected sites that
require a username and passcode. So, if one was to protect a directory or
folder, a regular dialog will appear for username and passcode prompt within
the web browser. I was researching some variables that I came across which
is called $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.

At my location, on the network, when I reached a protected folder, I always
have to enter the username and passcode within the browser (because its
actually acessing an actual directory to list out). However, I would like to
by pass that by a user entering the username and passcode via HTML, instead
of the dialog showing.

I hope that helps a little.

Thanks



"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Chris Winters <[EMAIL PROTECTED]> wrote:
> > If you by chance come across a secure area that prompts
> > the username and passcode to a folder
>
> Can you rephrase that? I can't tell what you are talking
> about. Does a separate window pop up prompting for a
> username and password, or is this part of the Web page in
> your browser?
>
> Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Fw: [PHP] authentication

[Kevin Stone]

The question is too broad to answer in one post.  Suffice to say Yes you can
do all of this if you have the know-how.  Recommend you continue your
research with some basics on PHP.net and a good tutorial-style book such as
"PHP and MySQL Web Development".   There is tons of information online as
well.  The search query "php password protect" on Google Groups yeilded 3400
results alone.

Good luck,
-Kevin

- Original Message -
From: "Chris Winters" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 03, 2003 10:31 AM
Subject: [PHP] authentication


> I have a question that maybe someone could answer.
>
> If you by chance come across a secure area that prompts the username and
> passcode to a folder, how I can PHP to automagically add them in later on?
>
> Also, instead of that dialogue popping up, is there a way you can "add"
your
> own via HTML form and then subit those values to the dialogue or calling
> proc?
>
> Just a few questions as I am even researching this now.
>
> Thanks in advanced!
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] authentication

[Chris Shiflett]

--- Chris Winters <[EMAIL PROTECTED]> wrote:
> If you by chance come across a secure area that prompts
> the username and passcode to a folder

Can you rephrase that? I can't tell what you are talking
about. Does a separate window pop up prompting for a
username and password, or is this part of the Web page in
your browser?

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] authentication

[Chris Winters]

I have a question that maybe someone could answer.

If you by chance come across a secure area that prompts the username and
passcode to a folder, how I can PHP to automagically add them in later on?

Also, instead of that dialogue popping up, is there a way you can "add" your
own via HTML form and then subit those values to the dialogue or calling
proc?

Just a few questions as I am even researching this now.

Thanks in advanced!




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication programming

[Jordan Elver]

Hi Justin,

Thanks for that link, looks pretty interesting. I'll take a closer read later.

Cheers,
Jord
-- 
Jordan Elver
Eagles may soar high, but weasels don't get sucked into jet engines. -- David 
Brent (The Office)


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication programming

[Justin French]

on 15/01/03 7:07 AM, Jordan Elver ([EMAIL PROTECTED]) wrote:

> Hi,
> I'm about to start a new project which will require a login system. The system
> should allow for different types of access on a per page basis. I'm going to
> achieve the login system using sessions, which I have done before.
> 
> My problem is that I don't want to have to do much login checking on the
> actual pages within the system. I would like it to be included and handled
> oustide of the main application.

yes

>  /* authenticate */
> $page_permission = 'admin';
> include('includes/login.inc');
> 
> /* other page functionality */
> 
> ?>

yes same thing I do


> So, you set the permission for the individual page. I would also like to do
> this as a class, which I am not experienced in. I haven't found any very
> elegent solutions to this. Could anyone point out some urls or anything to
> show me in the right direction?

it's not *exactly* what you want at all, but if you've got a brain, you can
adapat the concept to what you want with ease (I have)... there is an
article on sitepoint.com / webmasterbase.com by kevin yank.

http://www.WebmasterBase.com/article/319

basically, he ends up with a script called 'restricted.php' which he
includes at the top of any page which he wants to restrict to logged in
users only...

it works fine, but needs updating to account for $_POST/GET/SESSION etc, but
should give you the principals to adapt or write your own.


Cheers,

Justin


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication programming

[Stephen]

Devarticles has a series of Authentication tutorails and the  a tutorial on
OOP itself. Here are the links:

http://www.devarticles.com/art/1/349

-- Member Script Tutorial: --
-- There are 6 parts --

http://www.devarticles.com/art/1/241
http://www.devarticles.com/art/1/245
http://www.devarticles.com/art/1/262
http://www.devarticles.com/art/1/285
http://www.devarticles.com/art/1/323

Part six isn't up yet so check back to the same site later...


- Original Message -
From: "Jordan Elver" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 14, 2003 3:07 PM
Subject: [PHP] Authentication programming


: Hi,
: I'm about to start a new project which will require a login system. The
system
: should allow for different types of access on a per page basis. I'm going
to
: achieve the login system using sessions, which I have done before.
:
: My problem is that I don't want to have to do much login checking on the
: actual pages within the system. I would like it to be included and handled
: oustide of the main application.
:
: 
:
: So, you set the permission for the individual page. I would also like to
do
: this as a class, which I am not experienced in. I haven't found any very
: elegent solutions to this. Could anyone point out some urls or anything to
: show me in the right direction?
:
: Cheers,
: Jord
: --
: Jordan Elver
: There's no 'I' in 'team'. But then there's no 'I' in 'useless smug
colleague',
: either. And there's four in 'platitude-quoting idiot'. Go figure. -- David
: Brent (The Office)
:
:
: --
: PHP General Mailing List (http://www.php.net/)
: To unsubscribe, visit: http://www.php.net/unsub.php
:
:
:



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication programming

[Jordan Elver]

Hi,
I'm about to start a new project which will require a login system. The system 
should allow for different types of access on a per page basis. I'm going to 
achieve the login system using sessions, which I have done before.

My problem is that I don't want to have to do much login checking on the 
actual pages within the system. I would like it to be included and handled 
oustide of the main application.



So, you set the permission for the individual page. I would also like to do 
this as a class, which I am not experienced in. I haven't found any very 
elegent solutions to this. Could anyone point out some urls or anything to 
show me in the right direction?

Cheers,
Jord
-- 
Jordan Elver
There's no 'I' in 'team'. But then there's no 'I' in 'useless smug colleague', 
either. And there's four in 'platitude-quoting idiot'. Go figure. -- David 
Brent (The Office)


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication with PHP and HTTP

[Phillip Erskine]

I have a site that uses PHP/MySQL authentication for one section and 
Apache/HTTP authentication for another.  Eventually I would like to use only 
PHP and MySQL for authenticating users, but in the meantime, I have to use 
both.

First, users will log in to the main section of the site and I will use PHP 
session variables to maintain state for that section.  What I would like to 
be able to do is allow users to click a link that would redirect them to the 
other section of the site and automatically log them in.

The section of the site that users will be redirected to uses .htaccess and 
.htpassword files to enforce HTTP authentication.

Is this possible?  If so, how?


=
http://www.pverskine.com/




_
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication: HTTP or homegrown?

[Chris Shiflett]

Jackson,

It really depends on what you are wanting to protect, but in most cases, 
it is better to use a "homegrown" solution.

If you are interested in why I say this, read on ...

HTTP authentication has two breeds, basic and digest. With basic, the 
*authentication* credentials (e.g., name and password) are passed in 
clear text for every single request to a protected resource (so, 
probably for every request for a page in your application). So, even if 
you do not use SSL, using your own authentication and then switching to 
PHP sessions only exposes the user's authentication credentials once. 
There are other disadvantages as well, such as depending on the client's 
browser for things like timeout, removing the control from yourself.

Digest authentication addresses the major concern of exposed 
authentication credentials as well as many other minor ones, but support 
for it is inconsistent, and only newer browsers are going to have good 
support. So, while it is definitely a better alternative to basic 
authentication, it is not a good option for most people.

Using your own does not require much work if you don't want it to. Even 
a simple username and password collection combined with the "out of the 
box" PHP sessions solution is probably more suitable in most cases than 
HTTP's native authentication.

Now, arguments for HTTP authentication would weigh heavier for static 
resources such as images and HTML files that you want to protect without 
relying on server-side code (for example, in cases where there is no 
support for PHP, mod_perl, etc.).

That's my opinion anyway ...

Chris

Jackson Miller wrote:

>I am curious what method of authentication is preferred by people on
>this list.  Are you using PHP scripts for authentication and limiting
>access, or are you using HTTP header info.  Maybe it is best to use
>both.
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication: HTTP or homegrown?

[Jackson Miller]

I am curious what method of authentication is preferred by people on
this list.  Are you using PHP scripts for authentication and limiting
access, or are you using HTTP header info.  Maybe it is best to use
both.

For my sites I usually store user info in a database and use php and
sessions to authenticate users, but this doesn't work well with some
server log analyzing software like webalizer (though I insert my own
logs in a database to track user info too).

Is there any reason I should switch to HTTP authentication or some
hybrid system?

By HTTP authentication I am referring to using the PHP_AUTH_USER,
PHP_AUTH_PW, and PHP_AUTH_TYPE variables.
(http://www.php.net/manual/en/features.http-auth.php)

Thanks,

-Jackson


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication on NT??

[Per Lundkvist]

Hi
I have installed PHP on a Windows NT Server 4.0 and it works (almost) fine!
The thing is that I get the "Enter network password" - prompt when I first
go to a PHP-file. Not if I go to an ASP file.

So if I just hit enter in the prompt, I get in to the PHP-page and can
continue surfing.
I guess it has something with Anonymous user to do, but I dont know what?!

Per L.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication session problem (php/server implementation?)

[Jacob Dorman]

I have a user authentication system using sessions
it checks username and password against a database.
if correct it sets a variable in the session cookie (via $_SESSION) and
redirects to the protected page which checks for that variable.
if the user/pass is wrong it redirects to an error page.
if it gets to the protected page and the variable isnt set it redirects back
to the login page.

it works when uploaded to a server Linux, Apache/1.3.24, PHP 4.1.2.
register_globals=on

but on my local server Windows NT, Apache/2.0.39, PHP 4.2.1 using a patched
Apache 2.0 Filter, register_globals=on. It seems to redirect back to the
login page.

thanks




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Justin French]

Have a look at Kevin Yank's article on sitepoint.com called something like
"restricting page access with php and mysql".

It formed the basis of my user and session management.

Basically, you should be re-checking your username and password on every
page, so it shouldn't be too hard to extend this to check for which course
numbers they've paid for.  You'll also need to extend it so that some pages
are not restricted (eg home), but still maintain/carry the session.

I guess what I'm saying is to keep as much data as possible in the database,
rather than in sessions, because sessions, cookies etc etc can all be
spoofed or hijacked.

So at the top of each page, you're checking:

- if the username and password match the database
- if the course # requested has been paid for

If yes, then show page, else tell 'em to go away :)


That's what I'd be doing... otherwise, you've asked how to assign a variable
to a session, pretty much.

$_SESSION['coursepaidfor'] = "45";


Which should be pretty easy to compare.



Justin French



on 08/07/02 7:20 PM, Anthony Rodriguez ([EMAIL PROTECTED]) wrote:

> Dear Richard,
> 
> Again thank you for your reply. I'm sorry to keep bothering you. Please
> tell me when to stop.
> 
> Let me explain what I'm trying to do and maybe you'll point me in the right
> direction.
> 
> I'm developing a "paid" Web site for business courses. Some pages will be
> available to all visitors (e.g. the Home page). Other pages will be
> available to "paid" visitors. The usernames, passwords, and courses paid
> for will be stored in a MySQL table. One of the pages will be a form to ask
> a user for his/her username, password, and course paid for. The form will
> be sent to a PHP script that validates the responses. I' know how to do
> this. In that PHP script I'd like to create a "session variable" (i.e.: the
> course #) that would be used to validate each page of the course.
> 
> At the top of each course page (PHP script) there would be an if statement
> (if course # equals "session variable" display page, else go elsewhere).
> 
> Can you help?
> 
> Thank you!
> 
> Tony
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Authentication

[Anthony Rodriguez]

Dear Richard,

Again thank you for your reply. I'm sorry to keep bothering you. Please 
tell me when to stop.

Let me explain what I'm trying to do and maybe you'll point me in the right 
direction.

I'm developing a "paid" Web site for business courses. Some pages will be 
available to all visitors (e.g. the Home page). Other pages will be 
available to "paid" visitors. The usernames, passwords, and courses paid 
for will be stored in a MySQL table. One of the pages will be a form to ask 
a user for his/her username, password, and course paid for. The form will 
be sent to a PHP script that validates the responses. I' know how to do 
this. In that PHP script I'd like to create a "session variable" (i.e.: the 
course #) that would be used to validate each page of the course.

At the top of each course page (PHP script) there would be an if statement 
(if course # equals "session variable" display page, else go elsewhere).

Can you help?

Thank you!

Tony



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Authentication

[Alberto Serra]

Miguel Cruz wrote:
> 
> I'd suggest ignoring IP altogether and focusing on other tactics. There 
> are just too many pitfalls in trusting IPs and too much user annoyance 
> possible from not trusting them.

Well, the way I made it admins get emailed each every time a user gets 
refused
because of a bad IP, and they can decide to apply a control policy from 
0 to 4
octets check. It seems fair to me: admins will be annoyed by emails just as
much as users will be annoyed by their security policy. This should lead to
some balance, in the long run :)

Chances are most commercial sites will set the check IP rule to 0 but in 
case someone wants a strict check he can configure the system to do so. 
I guess this will fit everybody. And of course we do have all the other 
stuff, so even without IP checks the systems remain pretty secure.

Thanks for helping
Alberto
Kiev


-- 


@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@

LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php