Re: [PHP] HTTP authentication : logout!!!
On 07-May-01 Mauricio Souza Lima wrote: snip And you have to inform the user to clean the password field, click ok, then the pop-up will open again, then user click in cancel. I just know that way to do. If anyone know another way, Postit! create a tmp directory logoff.php3: require('secure.php3'); authuser(Logoff); // validate user (possible Dos attack here) $fname=tmp/$PHP_AUTH_USER; touch($fname); Header(Location: http://www.mydomain.com/index.html;); - secure.php3: function checklogin($user,$pass='',$realm='') { if (! dbInit()) { echo \n\nBODYCENTER; die(PH2Unable to contact database server/H2); } $fname=tmp/$user; if (file_exists($fname)) { unlink($fname); return(false); } $query=select login from users where login='$user' and password=PASSWORD('$pass'); // echo $query .'BR'; $result = mysql_query( $query); $row = mysql_fetch_object($result); if ($row) { return(true); } return(false); } function authheader($realm) { Header('WWW-authenticate: basic realm='.$realm .''); Header('HTTP/1.0 401 Unauthorized'); echo \n\n; } function authuser($realm='Access') { global $PHP_AUTH_USER, $PHP_AUTH_PW; if (! (isset($PHP_AUTH_USER)) ) { authheader($realm); exit; } if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) { authheader($realm); echo 'CENTERFailed Login'; exit; } } Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Cool, you have found another way! So the realm make diference? A user loged in a realm isn't the same in other realm? Very cool... Explain better your solution to us. Regards, Don Read wrote: On 07-May-01 Mauricio Souza Lima wrote: snip And you have to inform the user to clean the password field, click ok, then the pop-up will open again, then user click in cancel. I just know that way to do. If anyone know another way, Postit! create a tmp directory logoff.php3: require('secure.php3'); authuser(Logoff); // validate user (possible Dos attack here) $fname=tmp/$PHP_AUTH_USER; touch($fname); Header(Location: http://www.mydomain.com/index.html;); - secure.php3: function checklogin($user,$pass='',$realm='') { if (! dbInit()) { echo \n\nBODYCENTER; die(PH2Unable to contact database server/H2); } $fname=tmp/$user; if (file_exists($fname)) { unlink($fname); return(false); } $query=select login from users where login='$user' and password=PASSWORD('$pass'); // echo $query .'BR'; $result = mysql_query( $query); $row = mysql_fetch_object($result); if ($row) { return(true); } return(false); } function authheader($realm) { Header('WWW-authenticate: basic realm='.$realm .''); Header('HTTP/1.0 401 Unauthorized'); echo \n\n; } function authuser($realm='Access') { global $PHP_AUTH_USER, $PHP_AUTH_PW; if (! (isset($PHP_AUTH_USER)) ) { authheader($realm); exit; } if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) { authheader($realm); echo 'CENTERFailed Login'; exit; } } Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- Mauricio Souza Lima Programador - Catho ONLINE [EMAIL PROTECTED] www.catho.com.br [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 08-May-01 Mauricio Souza Lima wrote: Cool, you have found another way! So the realm make diference? A user loged in a realm isn't the same in other realm? Very cool... Not quite, the realm is a string to present to the login dialog box it has no effect on the credentials in this example. But you could code such a thing. Explain better your solution to us. 'Kay logoff.php3: $fname=tmp/$PHP_AUTH_USER; touch($fname); create a lockfile tmp/loginname Header(Location: http://www.mydomain.com/index.html;); send them to a non-protected page. secure.php3: function checklogin($user,$pass='',$realm='') { here $realm is some unused glue for orthagonal function() calls $fname=tmp/$user; if (file_exists($fname)) { check if tmp/loginname exists unlink($fname); // delete it return(false); } if we got this far, they either 1. didn't hit logoff 2. they did and already got the 401-(Re)Authenticate $query=select login from users where login='$user' and password=PASSWORD('$pass'); // echo $query .'BR'; $result = mysql_query( $query); $row = mysql_fetch_object($result); if ($row) { return(true); } return(false); } Basically it's a spin-lock file that is checked on login ... could just as easily be done as a shared semaphore, DB entry, whatever. Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I must support this fashion of login and logout. I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? -elias http://www.eassoft.cjb.net Thomas Edison Jr. [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... i'm using http authentication for my php pages (members area). Once you login correctly, than you can access anypage as the authentication box doesn't pop-up. Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? From what i understand, there is a $auth which is False by default. When auth is succesfull, it contains True. And once it's true, the auth box doesn't pop-up. I understand that probably clicking on this logout link should again make $auth false. But then $auth is on a lot of pages, how does this $auth on logout.php3 make all the other $auth's false? or is there some other way? the code i'm using for auth is : *** ?php $auth = false; // Assume user is not authenticated if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) { mysql_connect('localhost','root') or die ( 'Unable to connect to server.' ); mysql_select_db( 'skynet' ) or die ( 'Unable to select database.' ); // Formulate the query $sql = SELECT * FROM register WHERE username = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; } } if ( ! $auth ) { header( 'WWW-Authenticate: Basic realm=Private' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit; } else { %%stuff 2 do%% } ? *** Regards, T. Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
It dont work, what you have to do is that: In the logout.php: -- ? header( 'WWW-Authenticate: Basic realm=Private'); header( 'HTTP/1.0 401 Unauthorized' ); ? htmlbody Logout Sucessful /body/html -- And you have to inform the user to clean the password field, click ok, then the pop-up will open again, then user click in cancel. I just know that way to do. If anyone know another way, Postit! elias wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? -elias http://www.eassoft.cjb.net Thomas Edison Jr. [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... i'm using http authentication for my php pages (members area). Once you login correctly, than you can access anypage as the authentication box doesn't pop-up. Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? From what i understand, there is a $auth which is False by default. When auth is succesfull, it contains True. And once it's true, the auth box doesn't pop-up. I understand that probably clicking on this logout link should again make $auth false. But then $auth is on a lot of pages, how does this $auth on logout.php3 make all the other $auth's false? or is there some other way? the code i'm using for auth is : *** ?php $auth = false; // Assume user is not authenticated if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) { mysql_connect('localhost','root') or die ( 'Unable to connect to server.' ); mysql_select_db( 'skynet' ) or die ( 'Unable to select database.' ); // Formulate the query $sql = SELECT * FROM register WHERE username = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; } } if ( ! $auth ) { header( 'WWW-Authenticate: Basic realm=Private' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit; } else { %%stuff 2 do%% } ? *** Regards, T. Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- Mauricio Souza Lima Programador - Catho ONLINE [EMAIL PROTECTED] www.catho.com.br [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
$PHP_AUTH_USER = ; $PHP_AUTH_PW = ; Ought to do it. From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 8:39 AM To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication : logout!!! Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I to have never been happy with the way PHP handles actual secure sessions. GameDesign was written to entirely use session based access. Both the main user site, and the admin backend use it, and it works quite well. - John Vanderbeck - Admin, GameDesign (http://gamedesign.incagold.com/) - GameDesign, the industry source for game design and development issues -Original Message- From: Robert Covell [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 9:14 AM To: Martín Marqués; elias Cc: [EMAIL PROTECTED] Subject: RE: [PHP] HTTP authentication : logout!!! I must support this fashion of login and logout. I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]