Re: [PHP] HTTP authentication : logout!!!
On 07-May-01 Mauricio Souza Lima wrote:
snip
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
create a tmp directory
logoff.php3:
require('secure.php3');
authuser(Logoff); // validate user (possible Dos attack here)
$fname=tmp/$PHP_AUTH_USER;
touch($fname);
Header(Location: http://www.mydomain.com/index.html;);
-
secure.php3:
function checklogin($user,$pass='',$realm='') {
if (! dbInit()) {
echo \n\nBODYCENTER;
die(PH2Unable to contact database server/H2);
}
$fname=tmp/$user;
if (file_exists($fname)) {
unlink($fname);
return(false);
}
$query=select login from users
where login='$user' and password=PASSWORD('$pass');
// echo $query .'BR';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
function authheader($realm) {
Header('WWW-authenticate: basic realm='.$realm .'');
Header('HTTP/1.0 401 Unauthorized');
echo \n\n;
}
function authuser($realm='Access') {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
if (! (isset($PHP_AUTH_USER)) ) {
authheader($realm);
exit;
}
if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) {
authheader($realm);
echo 'CENTERFailed Login';
exit;
}
}
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Cool, you have found another way!
So the realm make diference? A user loged in a realm isn't the same in
other realm? Very cool...
Explain better your solution to us.
Regards,
Don Read wrote:
On 07-May-01 Mauricio Souza Lima wrote:
snip
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
create a tmp directory
logoff.php3:
require('secure.php3');
authuser(Logoff); // validate user (possible Dos attack here)
$fname=tmp/$PHP_AUTH_USER;
touch($fname);
Header(Location: http://www.mydomain.com/index.html;);
-
secure.php3:
function checklogin($user,$pass='',$realm='') {
if (! dbInit()) {
echo \n\nBODYCENTER;
die(PH2Unable to contact database server/H2);
}
$fname=tmp/$user;
if (file_exists($fname)) {
unlink($fname);
return(false);
}
$query=select login from users
where login='$user' and password=PASSWORD('$pass');
// echo $query .'BR';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
function authheader($realm) {
Header('WWW-authenticate: basic realm='.$realm .'');
Header('HTTP/1.0 401 Unauthorized');
echo \n\n;
}
function authuser($realm='Access') {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
if (! (isset($PHP_AUTH_USER)) ) {
authheader($realm);
exit;
}
if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) {
authheader($realm);
echo 'CENTERFailed Login';
exit;
}
}
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
Mauricio Souza Lima
Programador - Catho ONLINE
[EMAIL PROTECTED] www.catho.com.br
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 08-May-01 Mauricio Souza Lima wrote:
Cool, you have found another way!
So the realm make diference? A user loged in a realm isn't the same in
other realm? Very cool...
Not quite, the realm is a string to present to the login dialog box
it has no effect on the credentials in this example.
But you could code such a thing.
Explain better your solution to us.
'Kay
logoff.php3:
$fname=tmp/$PHP_AUTH_USER;
touch($fname);
create a lockfile tmp/loginname
Header(Location: http://www.mydomain.com/index.html;);
send them to a non-protected page.
secure.php3:
function checklogin($user,$pass='',$realm='') {
here $realm is some unused glue for orthagonal function() calls
$fname=tmp/$user;
if (file_exists($fname)) {
check if tmp/loginname exists
unlink($fname); // delete it
return(false);
}
if we got this far, they either
1. didn't hit logoff
2. they did and already got the 401-(Re)Authenticate
$query=select login from users
where login='$user' and password=PASSWORD('$pass');
// echo $query .'BR';
$result = mysql_query( $query);
$row = mysql_fetch_object($result);
if ($row) {
return(true);
}
return(false);
}
Basically it's a spin-lock file that is checked on login ... could just as
easily be done as a shared semaphore, DB entry, whatever.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I must support this fashion of login and logout. I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Never tried it though...but can you try to empty or unset the
$PHP_AUTH_USER/PWD ?
-elias
http://www.eassoft.cjb.net
Thomas Edison Jr. [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
i'm using http authentication for my php pages
(members area). Once you login correctly, than you can
access anypage as the authentication box doesn't
pop-up.
Now i woul like to create a logout link after clicking
on which, whenever you click on a page using auth, the
auth box should pop-up again and you must feed in your
user/pass. What should this logout page contain? what
coding do i have to do?
From what i understand, there is a $auth which is
False by default. When auth is succesfull, it
contains True. And once it's true, the auth box
doesn't pop-up. I understand that probably clicking on
this logout link should again make $auth false. But
then $auth is on a lot of pages, how does this $auth
on logout.php3 make all the other $auth's false?
or is there some other way?
the code i'm using for auth is :
***
?php
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) {
mysql_connect('localhost','root') or die (
'Unable to connect to server.' );
mysql_select_db( 'skynet' ) or die ( 'Unable
to select database.' );
// Formulate the query
$sql = SELECT * FROM register WHERE
username = '$PHP_AUTH_USER' AND
password = '$PHP_AUTH_PW';
// Execute the query and put results in $result
$result = mysql_query( $sql ) or die ( 'Unable to
execute query.' );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 ) {
// A matching row was found - the user is
authenticated.
$auth = true;
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=Private'
);
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
%%stuff 2 do%%
}
?
***
Regards,
T. Edison jr.
=
Rahul S. Johari (Director)
**
Abraxas Technologies Inc.
Homepage : http://www.abraxastech.com
Email : [EMAIL PROTECTED]
Tel : 91-4546512/4522124
***
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
It dont work, what you have to do is that:
In the logout.php:
--
?
header( 'WWW-Authenticate: Basic realm=Private');
header( 'HTTP/1.0 401 Unauthorized' );
?
htmlbody
Logout Sucessful
/body/html
--
And you have to inform the user to clean the password field, click ok,
then the pop-up will open again, then user click in cancel.
I just know that way to do. If anyone know another way, Postit!
elias wrote:
Never tried it though...but can you try to empty or unset the
$PHP_AUTH_USER/PWD ?
-elias
http://www.eassoft.cjb.net
Thomas Edison Jr. [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
i'm using http authentication for my php pages
(members area). Once you login correctly, than you can
access anypage as the authentication box doesn't
pop-up.
Now i woul like to create a logout link after clicking
on which, whenever you click on a page using auth, the
auth box should pop-up again and you must feed in your
user/pass. What should this logout page contain? what
coding do i have to do?
From what i understand, there is a $auth which is
False by default. When auth is succesfull, it
contains True. And once it's true, the auth box
doesn't pop-up. I understand that probably clicking on
this logout link should again make $auth false. But
then $auth is on a lot of pages, how does this $auth
on logout.php3 make all the other $auth's false?
or is there some other way?
the code i'm using for auth is :
***
?php
$auth = false; // Assume user is not authenticated
if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) {
mysql_connect('localhost','root') or die (
'Unable to connect to server.' );
mysql_select_db( 'skynet' ) or die ( 'Unable
to select database.' );
// Formulate the query
$sql = SELECT * FROM register WHERE
username = '$PHP_AUTH_USER' AND
password = '$PHP_AUTH_PW';
// Execute the query and put results in $result
$result = mysql_query( $sql ) or die ( 'Unable to
execute query.' );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 ) {
// A matching row was found - the user is
authenticated.
$auth = true;
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=Private'
);
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
%%stuff 2 do%%
}
?
***
Regards,
T. Edison jr.
=
Rahul S. Johari (Director)
**
Abraxas Technologies Inc.
Homepage : http://www.abraxastech.com
Email : [EMAIL PROTECTED]
Tel : 91-4546512/4522124
***
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
--
Mauricio Souza Lima
Programador - Catho ONLINE
[EMAIL PROTECTED] www.catho.com.br
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
$PHP_AUTH_USER = ; $PHP_AUTH_PW = ; Ought to do it. From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 8:39 AM To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication : logout!!! Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I to have never been happy with the way PHP handles actual secure sessions. GameDesign was written to entirely use session based access. Both the main user site, and the admin backend use it, and it works quite well. - John Vanderbeck - Admin, GameDesign (http://gamedesign.incagold.com/) - GameDesign, the industry source for game design and development issues -Original Message- From: Robert Covell [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 9:14 AM To: Martín Marqués; elias Cc: [EMAIL PROTECTED] Subject: RE: [PHP] HTTP authentication : logout!!! I must support this fashion of login and logout. I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
