Re: [PHP] Basic Auth
On 27 Aug 2013, at 18:45, Jim Giner wrote: > From your latest missive I gleaned that I needed to have a script on my server One last time: YOU DON'T NEED TO CHANGE ANYTHING ON THE SERVER-SIDE! Ok, I see that you've decided to use another method, which is great; HTTP auth is a pretty antiquated way to handle authentication these days. Whatever you're using, I wish you all the best with it. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
Re: [PHP] Basic Auth
Stuart, Just wanted to follow up with my thanks for your excellent help in providing understanding of how to generate the 401 error page and getting me thru the process of performing a sign-out from basic auth. Without your patience it never would have happened. Also wanted to tell you that I've scrapped it all. Keeping the code for a rainy day of course, but giving up on using it (as well as the basic auth signon process) to use my own 'roll-your-own' code. Since IE insisted on presenting multiple credentials during the signon process it was a futile effort to be doing a signoff. And yes - I've taken the proper precautions to hash the incoming password value before submission and storing in my db that way. Thanks again. It's help like this that makes this group such a great resource. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 12:53 PM, Stuart Dallas wrote: On 27 Aug 2013, at 17:28, Jim Giner wrote: On 8/27/2013 11:56 AM, Stuart Dallas wrote: Oops, sent this message from the wrong email address, so the list rejected it. Begin forwarded message: From: Stuart Dallas Subject: Re: [PHP] Basic Auth Date: 27 August 2013 16:36:27 BST To: jim.gi...@albanyhandball.com Cc: php-general@lists.php.net On 27 Aug 2013, at 15:59, Jim Giner wrote: On 8/27/2013 10:55 AM, Stuart Dallas wrote: On 27 Aug 2013, at 15:51, Jim Giner wrote: On 8/27/2013 10:39 AM, Stuart Dallas wrote: On 27 Aug 2013, at 15:18, Jim Giner wrote: On 8/27/2013 10:14 AM, Stuart Dallas wrote: It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart Not really - this is the first time I've had something not work as expected. That was said with my tongue very much firmly in my cheek, and so is this: I've been playing with dynamite since I was 4 - hey, it must be a safe, proper thing to do! Just because nothing has blown up in your face yet doesn't mean it won't, and I'm concerned that you might not actually see how important it is to make sure you're using the tool correctly. -Stuart This may very well be the first time with this problem because I haven't tried anything like this before. That said - can you give me some pointers on how to do the JS solution? I'm calling a script that is similar to the one I used to signon. It sends out something like: header("WWW-Authenticate: Basic realm=$realm"); header('HTTP/1.0 401 Unauthorized'); echo "You have entered invalid credentials"; echo "Click here to return to the menu."; exit(); when it doesn't detect the PHP_AUTH_USER or it is an invalid value. So - to effect a signoff, what does one do? You said to use an invalid value, but what do I do with that? How do I ignore the 401? Now I'm getting the signin dialog and I'm stuck. You don't need to do anything on the server-side. You simply need a JS function that sends a request to a URL that requires basic auth, with an Authenticate header that contains an invalid username and password. Then, when your server responds with a 401 Authentication required (which it should already do for an invalid request) you can set location.href to whatever URL you want the logged out user to see. If you don't know how to make a request from Javascript -- commonly known as an AJAX request -- then google for it. I'd recommend the jquery library if you want a very easy way to do it. -Stuart I am familiar with an ajax request (xmlhttprequest) and I have a function ready to call a script to effect this signoff. I just don't know what to put in that php script I'm calling. From what you just wrote I'm guessing that my headers as shown previously may be close - I"m confused about your mention of "contains an invalid username...". As you can see from my sample I don't include such a thing. For the last time: YOU DO NOT NEED TO MAKE ANY CHANGES SERVER-SIDE. From the Javascript, request any URL that requires authentication - it doesn't matter. When you make the AJAX request, pass an Authentication header that contains an invalid username and password. If you don't know what I mean by that, please google how HTTP Basic Auth works. -Stuart It's not the basic auth that I'm having the issue with - it's the 'header' thing and understanding what a 401 is doing and how I'm to ignore it. Never had to play with these things before and this part is all new. Let's face it - I'm an applications guy, not a systems guy. All this talk of headers and such is greek to me. HTTP headers are as important for application guys as they are for systems guys. I appreciate that this may be new to you, but it's pretty basic knowledge about how HTTP works. Basic auth is simple, and you need to understand how it works to understand what I've been trying to say. Here's how HTTP auth works: 1) Browser hits page. 2) The PHP script knows this page requires HTTP Auth, checks the PHP_AUTH_[USER|PW] variables but doesn't find anything, so it responds with an HTTP status of 401 Unauthorised. 3) The browser gets the 401 response and displa
Re: [PHP] Basic Auth
On 27 Aug 2013, at 17:28, Jim Giner wrote: > On 8/27/2013 11:56 AM, Stuart Dallas wrote: >> Oops, sent this message from the wrong email address, so the list rejected >> it. >> >> Begin forwarded message: >> >>> From: Stuart Dallas >>> Subject: Re: [PHP] Basic Auth >>> Date: 27 August 2013 16:36:27 BST >>> To: jim.gi...@albanyhandball.com >>> Cc: php-general@lists.php.net >>> >>> On 27 Aug 2013, at 15:59, Jim Giner wrote: >>> >>>> On 8/27/2013 10:55 AM, Stuart Dallas wrote: >>>>> On 27 Aug 2013, at 15:51, Jim Giner wrote: >>>>> >>>>>> On 8/27/2013 10:39 AM, Stuart Dallas wrote: >>>>>>> On 27 Aug 2013, at 15:18, Jim Giner >>>>>>> wrote: >>>>>>> >>>>>>>> On 8/27/2013 10:14 AM, Stuart Dallas wrote: >>>>>>>>> It's not really confusing so long as you understand how PHP works. >>>>>>>>> Each request is brand new - nothing is retained from previous >>>>>>>>> requests. The two variable you're changing are set by PHP when the >>>>>>>>> request comes in from the browser. The fact you changed them in a >>>>>>>>> previous request is irrelevant because 1) that change was not >>>>>>>>> communicated to the browser in any way, and 2) PHP doesn't retain any >>>>>>>>> data between requests [1]. >>>>>>>>> >>>>>>>>> If you've been coding assuming that changes you make to global >>>>>>>>> variables are retained between requests you must have been having >>>>>>>>> some pretty frustrating times! >>>>>>>>> >>>>>>>>> -Stuart >>>>>>>>> >>>>>>>> Not really - this is the first time I've had something not work as >>>>>>>> expected. >>>>>>> That was said with my tongue very much firmly in my cheek, and so is >>>>>>> this: >>>>>>> >>>>>>> I've been playing with dynamite since I was 4 - hey, it must be a >>>>>>> safe, proper thing to do! >>>>>>> >>>>>>> Just because nothing has blown up in your face yet doesn't mean it >>>>>>> won't, and I'm concerned that you might not actually see how important >>>>>>> it is to make sure you're using the tool correctly. >>>>>>> >>>>>>> -Stuart >>>>>>> >>>>>> This may very well be the first time with this problem because I haven't >>>>>> tried anything like this before. >>>>>> >>>>>> That said - can you give me some pointers on how to do the JS solution? >>>>>> I'm calling a script that is similar to the one I used to signon. It >>>>>> sends out something like: >>>>>> >>>>>> header("WWW-Authenticate: Basic realm=$realm"); >>>>>> header('HTTP/1.0 401 Unauthorized'); >>>>>> echo "You have entered invalid credentials"; >>>>>> echo "Click here to return to the >>>>>> menu."; >>>>>> exit(); >>>>>> >>>>>> when it doesn't detect the PHP_AUTH_USER or it is an invalid value. >>>>>> >>>>>> So - to effect a signoff, what does one do? You said to use an invalid >>>>>> value, but what do I do with that? How do I ignore the 401? Now I'm >>>>>> getting the signin dialog and I'm stuck. >>>>> You don't need to do anything on the server-side. You simply need a JS >>>>> function that sends a request to a URL that requires basic auth, with an >>>>> Authenticate header that contains an invalid username and password. Then, >>>>> when your server responds with a 401 Authentication required (which it >>>>> should already do for an invalid request) you can set location.href to >>>>> whatever URL you want the logged out user to see. >>>>> >>>>> If you don't know how to make a request from Javascript -- commonly known >>>>> as an AJAX
Re: [PHP] Basic Auth
On 8/27/2013 10:55 AM, Stuart Dallas wrote: On 27 Aug 2013, at 15:51, Jim Giner wrote: On 8/27/2013 10:39 AM, Stuart Dallas wrote: On 27 Aug 2013, at 15:18, Jim Giner wrote: On 8/27/2013 10:14 AM, Stuart Dallas wrote: It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart Not really - this is the first time I've had something not work as expected. That was said with my tongue very much firmly in my cheek, and so is this: I've been playing with dynamite since I was 4 - hey, it must be a safe, proper thing to do! Just because nothing has blown up in your face yet doesn't mean it won't, and I'm concerned that you might not actually see how important it is to make sure you're using the tool correctly. -Stuart This may very well be the first time with this problem because I haven't tried anything like this before. That said - can you give me some pointers on how to do the JS solution? I'm calling a script that is similar to the one I used to signon. It sends out something like: header("WWW-Authenticate: Basic realm=$realm"); header('HTTP/1.0 401 Unauthorized'); echo "You have entered invalid credentials"; echo "Click here to return to the menu."; exit(); when it doesn't detect the PHP_AUTH_USER or it is an invalid value. So - to effect a signoff, what does one do? You said to use an invalid value, but what do I do with that? How do I ignore the 401? Now I'm getting the signin dialog and I'm stuck. You don't need to do anything on the server-side. You simply need a JS function that sends a request to a URL that requires basic auth, with an Authenticate header that contains an invalid username and password. Then, when your server responds with a 401 Authentication required (which it should already do for an invalid request) you can set location.href to whatever URL you want the logged out user to see. If you don't know how to make a request from Javascript -- commonly known as an AJAX request -- then google for it. I'd recommend the jquery library if you want a very easy way to do it. -Stuart I am familiar with an ajax request (xmlhttprequest) and I have a function ready to call a script to effect this signoff. I just don't know what to put in that php script I'm calling. From what you just wrote I'm guessing that my headers as shown previously may be close - I"m confused about your mention of "contains an invalid username...". As you can see from my sample I don't include such a thing. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 15:51, Jim Giner wrote: > On 8/27/2013 10:39 AM, Stuart Dallas wrote: >> On 27 Aug 2013, at 15:18, Jim Giner wrote: >> >>> On 8/27/2013 10:14 AM, Stuart Dallas wrote: It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart >>> Not really - this is the first time I've had something not work as expected. >> That was said with my tongue very much firmly in my cheek, and so is this: >> >> I've been playing with dynamite since I was 4 - hey, it must be a safe, >> proper thing to do! >> >> Just because nothing has blown up in your face yet doesn't mean it won't, >> and I'm concerned that you might not actually see how important it is to >> make sure you're using the tool correctly. >> >> -Stuart >> > This may very well be the first time with this problem because I haven't > tried anything like this before. > > That said - can you give me some pointers on how to do the JS solution? I'm > calling a script that is similar to the one I used to signon. It sends out > something like: > >header("WWW-Authenticate: Basic realm=$realm"); >header('HTTP/1.0 401 Unauthorized'); >echo "You have entered invalid credentials"; >echo "Click here to return to the menu."; >exit(); > > when it doesn't detect the PHP_AUTH_USER or it is an invalid value. > > So - to effect a signoff, what does one do? You said to use an invalid > value, but what do I do with that? How do I ignore the 401? Now I'm > getting the signin dialog and I'm stuck. You don't need to do anything on the server-side. You simply need a JS function that sends a request to a URL that requires basic auth, with an Authenticate header that contains an invalid username and password. Then, when your server responds with a 401 Authentication required (which it should already do for an invalid request) you can set location.href to whatever URL you want the logged out user to see. If you don't know how to make a request from Javascript -- commonly known as an AJAX request -- then google for it. I'd recommend the jquery library if you want a very easy way to do it. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 10:39 AM, Stuart Dallas wrote: On 27 Aug 2013, at 15:18, Jim Giner wrote: On 8/27/2013 10:14 AM, Stuart Dallas wrote: It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart Not really - this is the first time I've had something not work as expected. That was said with my tongue very much firmly in my cheek, and so is this: I've been playing with dynamite since I was 4 - hey, it must be a safe, proper thing to do! Just because nothing has blown up in your face yet doesn't mean it won't, and I'm concerned that you might not actually see how important it is to make sure you're using the tool correctly. -Stuart This may very well be the first time with this problem because I haven't tried anything like this before. That said - can you give me some pointers on how to do the JS solution? I'm calling a script that is similar to the one I used to signon. It sends out something like: header("WWW-Authenticate: Basic realm=$realm"); header('HTTP/1.0 401 Unauthorized'); echo "You have entered invalid credentials"; echo "Click here to return to the menu."; exit(); when it doesn't detect the PHP_AUTH_USER or it is an invalid value. So - to effect a signoff, what does one do? You said to use an invalid value, but what do I do with that? How do I ignore the 401? Now I'm getting the signin dialog and I'm stuck. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 15:18, Jim Giner wrote: > On 8/27/2013 10:14 AM, Stuart Dallas wrote: >> It's not really confusing so long as you understand how PHP works. Each >> request is brand new - nothing is retained from previous requests. The two >> variable you're changing are set by PHP when the request comes in from the >> browser. The fact you changed them in a previous request is irrelevant >> because 1) that change was not communicated to the browser in any way, and >> 2) PHP doesn't retain any data between requests [1]. >> >> If you've been coding assuming that changes you make to global variables are >> retained between requests you must have been having some pretty frustrating >> times! >> >> -Stuart >> > > Not really - this is the first time I've had something not work as expected. That was said with my tongue very much firmly in my cheek, and so is this: I've been playing with dynamite since I was 4 - hey, it must be a safe, proper thing to do! Just because nothing has blown up in your face yet doesn't mean it won't, and I'm concerned that you might not actually see how important it is to make sure you're using the tool correctly. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 10:14 AM, Stuart Dallas wrote: It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart Not really - this is the first time I've had something not work as expected. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 15:06, Jim Giner wrote: > > On 8/27/2013 9:46 AM, Stuart Dallas wrote: >> On 27 Aug 2013, at 14:37, Jim Giner wrote: >> >>> I"m using basic auth for a few of my pages that I want to limit access to - >>> nothing of a sensitive nature, but simply want to limit access to. Want to >>> implement a signoff process, but can't figure it out. >>> >>> From the comments in the manual I take it one can't do this by simply >>> unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why >>> this doesn't suffice? The signon process expects them to be there, so when >>> they are not (after the 'unset'), how come my signon process still detects >>> them and their values? >> >> The global variables you're referring to are just that, global variables; >> changing them will have no effect on the browser. Basic Auth was not >> designed to allow users to log out, but you can make it happen with some >> Javascript. >> >> Have your log out link call a Javascript function which sends an >> XMLHttpRequest with an invalid username and password. The server will return >> a 401 which you ignore and then take the user to whatever URL you want them >> to see after they log off. Not pretty, but it works. >> >> -Stuart >> > Thanks for the timely response! > > Before I try your suggestion - one question. Since when is a global variable > not changeable? Doesn't the fact that it reflects a modified value when I do > change it tell me it worked? I change the value to 'xxx' and show it having > that value, but when the script is called again the old value appears. Very > confusing! I didn't say you couldn't change it, I said doing so will have no effect on the browser. It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart [1] The one exception to this is $_SESSION, but it's important to know how that works. The $_SESSION array is populated when you call session_start(). It's loaded from some form of storage (files by default) and unserialised in to $_SESSION. When the session is closed, either implicitly by the request ending or by a call to one of the methods that explicitly do it, the contents are serialised to the storage system. Once closed, any changes to $_SESSION will not be stored; it becomes just another superglobal (not that it was ever anything else). -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 9:46 AM, Stuart Dallas wrote: On 27 Aug 2013, at 14:37, Jim Giner wrote: I"m using basic auth for a few of my pages that I want to limit access to - nothing of a sensitive nature, but simply want to limit access to. Want to implement a signoff process, but can't figure it out. From the comments in the manual I take it one can't do this by simply unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why this doesn't suffice? The signon process expects them to be there, so when they are not (after the 'unset'), how come my signon process still detects them and their values? The global variables you're referring to are just that, global variables; changing them will have no effect on the browser. Basic Auth was not designed to allow users to log out, but you can make it happen with some Javascript. Have your log out link call a Javascript function which sends an XMLHttpRequest with an invalid username and password. The server will return a 401 which you ignore and then take the user to whatever URL you want them to see after they log off. Not pretty, but it works. -Stuart Thanks for the timely response! Before I try your suggestion - one question. Since when is a global variable not changeable? Doesn't the fact that it reflects a modified value when I do change it tell me it worked? I change the value to 'xxx' and show it having that value, but when the script is called again the old value appears. Very confusing! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 14:37, Jim Giner wrote: > I"m using basic auth for a few of my pages that I want to limit access to - > nothing of a sensitive nature, but simply want to limit access to. Want to > implement a signoff process, but can't figure it out. > > From the comments in the manual I take it one can't do this by simply > unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why this > doesn't suffice? The signon process expects them to be there, so when they > are not (after the 'unset'), how come my signon process still detects them > and their values? The global variables you're referring to are just that, global variables; changing them will have no effect on the browser. Basic Auth was not designed to allow users to log out, but you can make it happen with some Javascript. Have your log out link call a Javascript function which sends an XMLHttpRequest with an invalid username and password. The server will return a 401 which you ignore and then take the user to whatever URL you want them to see after they log off. Not pretty, but it works. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic auth question
[snip] Please CC me, I am on digest -- If I have a directory like: $HOME/www/ (document root) It has a auth section in the .htaccess file $HOME/www/.htaccess another directory like: $HOME/www/want_to_be_public/ How can I defeat the auth section in the $HOME/www/.htaccess file by commands in the: $HOME/www/want_to_be_public/.htaccess file? [/snip] Have you consulted the docs at http://www.apache.org ? That is where you will find the answer to this question. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth question
That is one way to try it but I haven't been able to get it to work. Questions about PHP variable authentication through .htaccess protected directories has been brought up many times since I've been on this list but has never been completly answered. Apparently it cannot be done. The closest thing you can do is create a .htaccess type pop up with PHP but the username and password still have to be entered via the user which is what I take to be what you are trying to avoid. Ed Curtis On Tue, 1 Jul 2003, Dave Carrera wrote: > I have a issue with basic auth which I hope someone here can throw some > light on. > > 1) I have already got my SESSION auth working well > > 2) Once someone logs in I need to send some basic auth info to a dir on > another server to let my logged in user to view it. This is where I am stuck > :-( > > I think one answer is > > If(isset($_SESSION[userokcode])){ > > header(Location http://username:[EMAIL PROTECTED]://www.domain.name/dir); > } > ?> > > Is that anyway close or have I got it the wrong way around? > > Any help is appreciated. > > Dave C > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.493 / Virus Database: 292 - Release Date: 25/06/2003 > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php