Re: [PHP] authentication issue...
On May 28, 2010, at 9:43 PM, Jason Pruim wrote:
Hey Everyone,
So I'm sitting here on a friday night trying to figure out how in
the world I'm going to fix an issue that should probably be simple
to me but is escaping me at the moment
Take this authentication function:
?PHP
function authentication($authUser, $authPass, $cfgtableAuth){
// Keep in mind, PASSWORD has meaning in MySQL
// Do your string sanitizing here
// (e.g. - $user = mysql_real_escape_string($_POST['user']);)
$authUser = mysql_real_escape_string($_POST['txtUser']);
$authPass = mysql_real_escape_string($_POST['txtPass']);
$md5pass = md5($authPass);
$loginQuery = SELECT * FROM {$cfgtableAuth} WHERE
userLogin='.$authUser.' AND userPass='.$md5pass.' LIMIT 0,1;;
$loginResult = mysql_query($loginQuery) or die(Wrong
data supplied or database error .mysql_error());
$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == 500){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);
die('account disabled');
}
if(is_array($row1)){
$_SESSION['userInfo'] = array( userLogin =
$row1['userName'], loggedin = TRUE, userName =
$row1['userName'], userPermission = $row1['userPermission']);
error_log(User has logged in: .
$row1['userLogin']);
}else{
//$_SESSION['userInfo'] =array(loggedin = FALSE);
die('authentication failed');
}
return TRUE;
}
?
Here is how I am displaying the login form:
?PHP
session_start();
$link = dbconnect($server, $username, $password, $database);
$page = $_GET['page'];
echo CSS
body
div class=contentwrapper
CSS;
include(nav.php);
if ($_SESSION['userInfo']['loggedin'] == TRUE) {
MAIN PAGE DISPLAY HERE
}else{
//Display login info
echo FORM
div class=dark
form method=post
p
You must login to proceed!BR /
User Name: input type=text size=20 name=txtUserBR
/
Password: input type=password size=20
name=txtPassBR /
input type=submit value=LoginBR /
/p
/form
/div
FORM;
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
}
?
Now... the authentication actually works, and it logs me in
properly, but I have to click the login button twice Ideally I
should just do it once, so I'm wondering if anyone can spot my
grievous misstep here?
Thanks in advance for the help and pointers I am bound to receive
from this list! :)
Your problem kind of made me laugh. Not because you're having this
problem but because the problem you're having that you want to correct
is something a co-worker of mine did by design. She writes in FoxPro
and on her login page you actually have to click the login button
twice in order to log in! She did it that way because she has a
profile button on the login page. Still, clicking on a login button
twice is annoying! :)
Take care,
Floyd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication issue...
On Sat, 2010-05-29 at 07:40 -0400, Floyd Resler wrote:
On May 28, 2010, at 9:43 PM, Jason Pruim wrote:
Hey Everyone,
So I'm sitting here on a friday night trying to figure out how in
the world I'm going to fix an issue that should probably be simple
to me but is escaping me at the moment
Take this authentication function:
?PHP
function authentication($authUser, $authPass, $cfgtableAuth){
// Keep in mind, PASSWORD has meaning in MySQL
// Do your string sanitizing here
// (e.g. - $user = mysql_real_escape_string($_POST['user']);)
$authUser = mysql_real_escape_string($_POST['txtUser']);
$authPass = mysql_real_escape_string($_POST['txtPass']);
$md5pass = md5($authPass);
$loginQuery = SELECT * FROM {$cfgtableAuth} WHERE
userLogin='.$authUser.' AND userPass='.$md5pass.' LIMIT 0,1;;
$loginResult = mysql_query($loginQuery) or die(Wrong
data supplied or database error .mysql_error());
$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == 500){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);
die('account disabled');
}
if(is_array($row1)){
$_SESSION['userInfo'] = array( userLogin =
$row1['userName'], loggedin = TRUE, userName =
$row1['userName'], userPermission = $row1['userPermission']);
error_log(User has logged in: .
$row1['userLogin']);
}else{
//$_SESSION['userInfo'] =array(loggedin = FALSE);
die('authentication failed');
}
return TRUE;
}
?
Here is how I am displaying the login form:
?PHP
session_start();
$link = dbconnect($server, $username, $password, $database);
$page = $_GET['page'];
echo CSS
body
div class=contentwrapper
CSS;
include(nav.php);
if ($_SESSION['userInfo']['loggedin'] == TRUE) {
MAIN PAGE DISPLAY HERE
}else{
//Display login info
echo FORM
div class=dark
form method=post
p
You must login to proceed!BR /
User Name: input type=text size=20
name=txtUserBR /
Password: input type=password size=20
name=txtPassBR /
input type=submit value=LoginBR /
/p
/form
/div
FORM;
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
}
?
Now... the authentication actually works, and it logs me in
properly, but I have to click the login button twice Ideally I
should just do it once, so I'm wondering if anyone can spot my
grievous misstep here?
Thanks in advance for the help and pointers I am bound to receive
from this list! :)
Your problem kind of made me laugh. Not because you're having this
problem but because the problem you're having that you want to correct
is something a co-worker of mine did by design. She writes in FoxPro
and on her login page you actually have to click the login button
twice in order to log in! She did it that way because she has a
profile button on the login page. Still, clicking on a login button
twice is annoying! :)
Take care,
Floyd
The problem I often see in this area is where the login check is
performed in an include file, and then included in every page, including
the login page itself. Takes a little while sometimes to figure out why
it is stuck in an eternal loop!
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] authentication issue...
On May 29, 2010, at 12:02 AM, Nathan Nobbe wrote:
On Fri, May 28, 2010 at 7:43 PM, Jason Pruim li...@pruimphotography.com
wrote:
Hey Everyone,
So I'm sitting here on a friday night trying to figure out how in
the world I'm going to fix an issue that should probably be simple
to me but is escaping me at the moment
Take this authentication function:
?PHP
function authentication($authUser, $authPass, $cfgtableAuth){
// Keep in mind, PASSWORD has meaning in MySQL
// Do your string sanitizing here
// (e.g. - $user = mysql_real_escape_string($_POST['user']);)
$authUser = mysql_real_escape_string($_POST['txtUser']);
$authPass = mysql_real_escape_string($_POST['txtPass']);
$md5pass = md5($authPass);
$loginQuery = SELECT * FROM {$cfgtableAuth} WHERE
userLogin='.$authUser.' AND userPass='.$md5pass.' LIMIT 0,1;;
$loginResult = mysql_query($loginQuery) or die(Wrong
data supplied or database error .mysql_error());
$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == 500){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);
die('account disabled');
}
if(is_array($row1)){
$_SESSION['userInfo'] = array( userLogin =
$row1['userName'], loggedin = TRUE, userName =
$row1['userName'], userPermission = $row1['userPermission']);
error_log(User has logged in: .
$row1['userLogin']);
}else{
//$_SESSION['userInfo'] =array(loggedin =
FALSE);
die('authentication failed');
}
return TRUE;
}
?
Here is how I am displaying the login form:
?PHP
session_start();
$link = dbconnect($server, $username, $password, $database);
$page = $_GET['page'];
echo CSS
body
div class=contentwrapper
CSS;
include(nav.php);
if ($_SESSION['userInfo']['loggedin'] == TRUE) {
MAIN PAGE DISPLAY HERE
}else{
//Display login info
echo FORM
div class=dark
form method=post
p
You must login to proceed!BR /
User Name: input type=text size=20
name=txtUserBR /
Password: input type=password size=20
name=txtPassBR /
input type=submit value=LoginBR /
/p
/form
/div
FORM;
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
}
?
Now... the authentication actually works, and it logs me in
properly, but I have to click the login button twice Ideally I
should just do it once, so I'm wondering if anyone can spot my
grievous misstep here?
it looks to me like you need to move the authentication() call
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
above the check to see if the user has logged in, right after the
include(nav.php);
line. right now, when the user submits the form, your code is first
finding that the user isnt logged in, spitting out the 'please log
in' portion of the html then logging them in, so youre actually
already logged in when the form shows itself the second time!
Hey nathan,
You were close actually... :) If I moved just the $auth call it came
up and said that the auth failed... BUT if I moved that entire if
block to just below the include(nav.php); line it works as it should!
Thanks for the pointer in the right direction! :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication issue...
On Fri, May 28, 2010 at 7:43 PM, Jason Pruim li...@pruimphotography.comwrote:
Hey Everyone,
So I'm sitting here on a friday night trying to figure out how in the world
I'm going to fix an issue that should probably be simple to me but is
escaping me at the moment
Take this authentication function:
?PHP
function authentication($authUser, $authPass, $cfgtableAuth){
// Keep in mind, PASSWORD has meaning in MySQL
// Do your string sanitizing here
// (e.g. - $user = mysql_real_escape_string($_POST['user']);)
$authUser = mysql_real_escape_string($_POST['txtUser']);
$authPass = mysql_real_escape_string($_POST['txtPass']);
$md5pass = md5($authPass);
$loginQuery = SELECT * FROM {$cfgtableAuth} WHERE
userLogin='.$authUser.' AND userPass='.$md5pass.' LIMIT 0,1;;
$loginResult = mysql_query($loginQuery) or die(Wrong data
supplied or database error .mysql_error());
$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == 500){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);
die('account disabled');
}
if(is_array($row1)){
$_SESSION['userInfo'] = array( userLogin =
$row1['userName'], loggedin = TRUE, userName = $row1['userName'],
userPermission = $row1['userPermission']);
error_log(User has logged in: . $row1['userLogin']);
}else{
//$_SESSION['userInfo'] =array(loggedin = FALSE);
die('authentication failed');
}
return TRUE;
}
?
Here is how I am displaying the login form:
?PHP
session_start();
$link = dbconnect($server, $username, $password, $database);
$page = $_GET['page'];
echo CSS
body
div class=contentwrapper
CSS;
include(nav.php);
if ($_SESSION['userInfo']['loggedin'] == TRUE) {
MAIN PAGE DISPLAY HERE
}else{
//Display login info
echo FORM
div class=dark
form method=post
p
You must login to proceed!BR /
User Name: input type=text size=20
name=txtUserBR /
Password: input type=password size=20
name=txtPassBR /
input type=submit value=LoginBR /
/p
/form
/div
FORM;
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
}
?
Now... the authentication actually works, and it logs me in properly, but I
have to click the login button twice Ideally I should just do it once,
so I'm wondering if anyone can spot my grievous misstep here?
it looks to me like you need to move the authentication() call
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
above the check to see if the user has logged in, right after the
include(nav.php);
line. right now, when the user submits the form, your code is first finding
that the user isnt logged in, spitting out the 'please log in' portion of
the html then logging them in, so youre actually already logged in when the
form shows itself the second time!
-nathan
Re: [PHP] Authentication by client certificate
2009/1/23 Jesus Campos jesus...@cm-barcelos.pt Hi there, I would like to create a application that can be able to authenticate by client certificate. Can I make this by apache/php? Anyone can recomend me documantation? Thanks, JCampos http://www.php.net/unsub.php Hey, I do not really understand what do you want to do? Are you talking about ssl-certificates? -eddy
Re: [PHP] authentication verification
On Thu, 2008-05-29 at 14:20 -0600, DeadTOm wrote: So the user comes to the site and they're presented with a log in page. They enter their username and password and php checks a mysql database for a matching username and password. In the case of a match, php then sets a cookie on their browser with a value of 1 for authenticated and 0 for not authenticated. Every subsequent page the user views checks the status of this cookie and if it's a zero it kicks them back to the log in page. This cookie expires in 5 days and after that they'll have to log in again. I'm aware that this is terribly easy to circumvent by creating/modifying a cookie with the 1 value and the site thinks you've passed muster. What is a better way of doing this? Use PHP session engine... and set: $_SESSION['loggedIn'] = true; Then you can check THAT value and they can't modify it. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication verification
On Thu, 29 May 2008 14:20:02 -0600 (MDT) DeadTOm [EMAIL PROTECTED] wrote: So the user comes to the site and they're presented with a log in page. They enter their username and password and php checks a mysql database for a matching username and password. In the case of a match, php then sets a cookie on their browser with a value of 1 for authenticated and 0 for not authenticated. Every subsequent page the user views checks the status of this cookie and if it's a zero it kicks them back to the log in page. This cookie expires in 5 days and after that they'll have to log in again. I'm aware that this is terribly easy to circumvent by creating/modifying a cookie with the 1 value and the site thinks you've passed muster. What is a better way of doing this? -- DeadTOm http://www.mtlaners.org [EMAIL PROTECTED] A Linux user since 1999. Sessions. http://php.net/manual/en/ref.session.php -- Greg Maruszeczka http://websagesolutions.com skype: websage.ca googletalk: gmarus Those who are possessed by nothing possess everything. -- Morihei Ueshiba -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication script working in firefox but strange results in ie7
Hello ,
Those code doesn't mean anything to client browser, you may session cookie
problem. Please check php.net online manual about it.
Regards
Sancar
On Saturday 04 August 2007 18:20:49 Brian Seymour wrote:
I mostly use Firefox but still I check to make sure everything works in IE7
and other browsers equally as well. I had strange results here. I have a
simple login form(user/pass field and submit button). I have the actual
login request script in a common php file. I have an Authentication class
that handles my auth stuff. With the code the way it is, it works perfectly
in firefox. However, in IE7 when you log in it shows the restricted stuff
but as soon as you navigate anywhere else you no longer have access. If you
login again then it works fine just like the first time you logged in using
firefox.
Now if you change $_SESSION['uid']== to !isset($_SESSION['uid']) then it
works perfectly on both browsers.
Anyhow, rifle through the code -- just something to think about. Anybody
else have a similar issue before?
Web Code:
Restricted stuff:
?php
if ($_SESSION['uid']==){
$ops-postLogin($e);
}else{
?
Logged in stuff(Restricted stuff)
?php } ?
Common snippet:
if ($_POST[action]==login){
$auth = new
Authentication($host,$user,$pass,dbname,http://aerocore.net/;);
if
($auth-verifyCreds($_POST['username'],$_POST['password'],base_contributor
s ,id))
{
$_SESSION['uid'] = $auth-retId;
$auth-failSafe();
break;
}
}
Authentication:
class Authentication extends SQL {
public $errorMsg;
public $retId;
public $clean = array();
public $fail;
public function __construct($host,$user,$pass,$dbname =
null,$fail)
{
parent::__construct($host,$user,$pass,$dbname =
null);
$this-fail=$fail;
}
public function failSafe()
{
header(Location: {$this-fail});
}
final public function sanitizeLoginCreds($user, $pass)
{
$this-clean['username']=strip_tags($user);
$this-clean['password']=strip_tags($pass);
if (!ctype_alnum($this-clean['username'])){
$this-clean['username']=; }
if (!ctype_alnum($this-clean['password'])){
$this-clean['password']=; }
}
final public function verifyCreds($user, $pass, $table,
$retVal = null)
{
$this-sanitizeLoginCreds($user,$pass);
//$this-result = $this-query(SELECT * FROM $table
where username='{$this-clean[username]}' and
password='{$this-clean[password]}');
if ($this-fetchNumRows(SELECT * FROM $table where
username='{$this-clean[username]}' and
password='{$this-clean[password]}') == 0)
{
$this-errorMsg = Incorrect
Username/Password Combo;
$this-failSafe();
return false;
}
else
{
if (isset($retVal))
{
$this-retId =
$this-fetchArray(SELECT * FROM $table where
username='{$this-clean[username]}' and
password='{$this-clean[password]}');
$this-retId =
$this-retId[$retVal];
}
return true;
}
}
final public function secureLogout()
{
$_SESSION = array();
session_destroy();
$this-failSafe();
}
public function __destruct(){}
}
Brian Seymour
Zend Certified Engineer
AeroCoreProductions
http://www.aerocore.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Correct Stut, I want transparent authentication, but I also want to have the currently logged in user name pulled so I can use it for tracking purposes. My application deals with very sensitive company information and I want to pull the username for tracking purposes. I have everything running local on the same PC. Win2k3 server, IIS, PHP and MSSQL Server. I have PHP installed for use with ldap and have NT Authentication set in IIS for the site. This allows me to perform the transparency, but I can't seem to extract the username. On 7/29/07, Stut [EMAIL PROTECTED] wrote: Dan Shirah wrote: I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? I'm assuming you're after transparent authentication where the user doesn't need to do anything to authenticate with the site. This is only possible with IE as the client on an NT domain with the server on the same domain. If you're using IIS on the server then it's as easy as removing anonymous and basic authentication from the site/directory. If you're using Apache or something else you need to find an extension/module that provides NTLM authentication, but not all of the ones I tried fully supported the transparent side of it. I implemented this for a corporate intranet a while back in Apache on FreeBSD with mod_ntlm (Google for it - dunno if it's still maintained). That was in 2004 and information was sparse, but with a bit of research and *lots* of experimenting I was able to get it to work. To be perfectly honest, if I were doing it again I'd save the time and use IIS on the server - sooo much easier. -Stut -- http://stut.net/
Re: [PHP] Authentication
Dan Shirah wrote: Correct Stut, I want transparent authentication, but I also want to have the currently logged in user name pulled so I can use it for tracking purposes. My application deals with very sensitive company information and I want to pull the username for tracking purposes. I have everything running local on the same PC. Win2k3 server, IIS, PHP and MSSQL Server. I have PHP installed for use with ldap and have NT Authentication set in IIS for the site. This allows me to perform the transparency, but I can't seem to extract the username. Spit out the contents of $_SERVER with print_r - it's probably in there somewhere. print 'pre'.print_r($_SERVER, true).'/pre'; -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Dan, i realize i misunderstood the original question. am i to understand you have php running on all of the client machines ? thanks, -nathan On 7/31/07, Dan Shirah [EMAIL PROTECTED] wrote: Correct Stut, I want transparent authentication, but I also want to have the currently logged in user name pulled so I can use it for tracking purposes. My application deals with very sensitive company information and I want to pull the username for tracking purposes. I have everything running local on the same PC. Win2k3 server, IIS, PHP and MSSQL Server. I have PHP installed for use with ldap and have NT Authentication set in IIS for the site. This allows me to perform the transparency, but I can't seem to extract the username. On 7/29/07, Stut [EMAIL PROTECTED] wrote: Dan Shirah wrote: I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? I'm assuming you're after transparent authentication where the user doesn't need to do anything to authenticate with the site. This is only possible with IE as the client on an NT domain with the server on the same domain. If you're using IIS on the server then it's as easy as removing anonymous and basic authentication from the site/directory. If you're using Apache or something else you need to find an extension/module that provides NTLM authentication, but not all of the ones I tried fully supported the transparent side of it. I implemented this for a corporate intranet a while back in Apache on FreeBSD with mod_ntlm (Google for it - dunno if it's still maintained). That was in 2004 and information was sparse, but with a bit of research and *lots* of experimenting I was able to get it to work. To be perfectly honest, if I were doing it again I'd save the time and use IIS on the server - sooo much easier. -Stut -- http://stut.net/
Re: [PHP] Authentication
Dan Shirah wrote: I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? I'm assuming you're after transparent authentication where the user doesn't need to do anything to authenticate with the site. This is only possible with IE as the client on an NT domain with the server on the same domain. If you're using IIS on the server then it's as easy as removing anonymous and basic authentication from the site/directory. If you're using Apache or something else you need to find an extension/module that provides NTLM authentication, but not all of the ones I tried fully supported the transparent side of it. I implemented this for a corporate intranet a while back in Apache on FreeBSD with mod_ntlm (Google for it - dunno if it's still maintained). That was in 2004 and information was sparse, but with a bit of research and *lots* of experimenting I was able to get it to work. To be perfectly honest, if I were doing it again I'd save the time and use IIS on the server - sooo much easier. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? If you're running your PHP script on IIS, maybe. Use print_r(): ?php print_r($_SERVER); ? -- Richard Heyes +44 (0)844 801 1072 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
On 7/27/07, Dan Shirah [EMAIL PROTECTED] wrote: All, I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? Thanks, Dan I couldn't hear you at first over your away message conversations. ;-P I know Perl (and, inherently, PHP) has a getenv identity REMOTE_USER (http://hoohoo.ncsa.uiuc.edu/cgi/env.html), but I haven't had success employing it but I think I only tried it once, about six years ago, just to see if it would work. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
on *.nix you could do something like
$users = explode(' ', `users`);
$users will then be an array w/ the usernames of the currently logged in
users.
user names may appear more than once, per the users documentation.
no clue or care on windows for me :)
-nathan
On 7/27/07, Dan Shirah [EMAIL PROTECTED] wrote:
All,
I looked on PHP.net but I couldn't not find anything suitable to answer my
question.
Within PHP, is there a way to pull the name of the user that is currently
logged into the PC?
I know with some of the _SERVER functions you can pull the IP of the
machine
and other data, is there a function within this family that would work?
Thanks,
Dan
Re: [PHP] Authentication
Maybe this: $_SERVER['PHP_AUTH_USER'] http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server Regards, Carlton Whitehead - Original Message - From: Dan Shirah [EMAIL PROTECTED] To: php-general php-general@lists.php.net Sent: Friday, July 27, 2007 1:51:51 PM (GMT-0500) America/New_York Subject: [PHP] Authentication All, I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? Thanks, Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
[EMAIL PROTECTED] wrote: Maybe this: $_SERVER['PHP_AUTH_USER'] http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server Regards, Carlton Whitehead - Original Message - From: Dan Shirah [EMAIL PROTECTED] To: php-general php-general@lists.php.net Sent: Friday, July 27, 2007 1:51:51 PM (GMT-0500) America/New_York Subject: [PHP] Authentication All, I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? Thanks, Dan This is used for http authenticated user. not local system user -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
On Fri, July 27, 2007 12:51 pm, Dan Shirah wrote: I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? That data is not transmitted, by design, in an HTTP request. I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? If you can find a JavaScript function to snoop the username, you could then write that into the URL, I suppose... But I suspect that, by design, JavaScript does not do this either. Basically, the username on the visitor's computer is both meaningless and far far far too private to be handing it out arbitrarily. It's meaningless in that any user can buy a PC and set up any username they want on it, and your webserver has NO IDEA what that username means. It's far far far too private, because it's none of your business to know who I am when I'm surfing. If you're trying to get some kind of one login system going, there may or may not be some useful info in the ever-reappearing thread regarding Active Directory and/or LDAP. If you're trying to do something else, post whatever it is you are trying to do, and perhaps you'll get some help. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
My application is only used within my company. I want to pull the NT Authenticated user that is logged in, cross reference that user with what I have pulled from ldap and verify the user's name is valid. If the username is valid I will assign it to a variable and use that variable to store the name of the user that submitted the requests. Yes, I am trying to get a single sign on method if possible. $_SERVER['REMOTE_ADDR'] works in bringing back the IP Address of the computer I'm kaing the request from, but $_SERVER['REMOTE_USER'] does not return anything. On 7/27/07, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, July 27, 2007 12:51 pm, Dan Shirah wrote: I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? That data is not transmitted, by design, in an HTTP request. I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? If you can find a JavaScript function to snoop the username, you could then write that into the URL, I suppose... But I suspect that, by design, JavaScript does not do this either. Basically, the username on the visitor's computer is both meaningless and far far far too private to be handing it out arbitrarily. It's meaningless in that any user can buy a PC and set up any username they want on it, and your webserver has NO IDEA what that username means. It's far far far too private, because it's none of your business to know who I am when I'm surfing. If you're trying to get some kind of one login system going, there may or may not be some useful info in the ever-reappearing thread regarding Active Directory and/or LDAP. If you're trying to do something else, post whatever it is you are trying to do, and perhaps you'll get some help. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?
Re: [PHP] Authentication
If memory doesn't fail me, if you work with IIS and protect the source pages of the application so that IUSR_x (the generic anonymous user) doesn't have access to those files and instead grant access to the NT users or groups which you want, the IIS when working with IE clients will take care of that as long as they are all in the same domain. I did it with IIS 3 and IE4 and it worked, I am not completely sure about the details, but it is something you do in the server administration and you don't need to do any programming at all, if the person reaches the page it is because it is who he says it is. Otherwise, no browser will give you access to any sensitive information on the client machine, nothing that someone, anyone, might pick on the server side just by receiving a page request. Satyam - Original Message - From: Dan Shirah [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: php-general php-general@lists.php.net Sent: Friday, July 27, 2007 11:02 PM Subject: Re: [PHP] Authentication My application is only used within my company. I want to pull the NT Authenticated user that is logged in, cross reference that user with what I have pulled from ldap and verify the user's name is valid. If the username is valid I will assign it to a variable and use that variable to store the name of the user that submitted the requests. Yes, I am trying to get a single sign on method if possible. $_SERVER['REMOTE_ADDR'] works in bringing back the IP Address of the computer I'm kaing the request from, but $_SERVER['REMOTE_USER'] does not return anything. On 7/27/07, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, July 27, 2007 12:51 pm, Dan Shirah wrote: I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? That data is not transmitted, by design, in an HTTP request. I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? If you can find a JavaScript function to snoop the username, you could then write that into the URL, I suppose... But I suspect that, by design, JavaScript does not do this either. Basically, the username on the visitor's computer is both meaningless and far far far too private to be handing it out arbitrarily. It's meaningless in that any user can buy a PC and set up any username they want on it, and your webserver has NO IDEA what that username means. It's far far far too private, because it's none of your business to know who I am when I'm surfing. If you're trying to get some kind of one login system going, there may or may not be some useful info in the ever-reappearing thread regarding Active Directory and/or LDAP. If you're trying to do something else, post whatever it is you are trying to do, and perhaps you'll get some help. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.10.22/921 - Release Date: 26/07/2007 23:16 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
[snip] My application is only used within my company. I want to pull the NT Authenticated user that is logged in, cross reference that user with what I have pulled from ldap and verify the user's name is valid. If the username is valid I will assign it to a variable and use that variable to store the name of the user that submitted the requests. Yes, I am trying to get a single sign on method if possible. [/snip] This is one of those holy grail questions asked before several times here. In order to pull this off the computer would have to know who you are after you have logged on. ASP has Request.Servervariables(LOGON_USER) and requires that the web server (IIS) be set up properly if IIS is set to use Basic Authentication or Windows Authentication then LOGON_USER is populated. So this is not possible using PHP (server-side). Perhaps JavaScript? Not really. Hours of searching the web will reveal that this is not probable. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
On Fri, July 27, 2007 4:02 pm, Dan Shirah wrote: My application is only used within my company. I want to pull the NT Authenticated user that is logged in, cross reference that user with what I have pulled from ldap and verify the user's name is valid. If the username is valid I will assign it to a variable and use that variable to store the name of the user that submitted the requests. Yes, I am trying to get a single sign on method if possible. If you're trying to get some kind of one login system going, there may or may not be some useful info in the ever-reappearing thread regarding Active Directory and/or LDAP. The answer remains: rtfa -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Dan Shirah wrote: My application is only used within my company. I want to pull the NT Authenticated user that is logged in, cross reference that user with what I have pulled from ldap and verify the user's name is valid. If the username is valid I will assign it to a variable and use that variable to store the name of the user that submitted the requests. Yes, I am trying to get a single sign on method if possible. $_SERVER['REMOTE_ADDR'] works in bringing back the IP Address of the computer I'm kaing the request from, but $_SERVER['REMOTE_USER'] does not return anything. There's an ActiveX component floating around that will pull this information from the user's PC and make it available so Javascript can get it (and then pass it on to you). You have to instruct each user's browser to consider your site in the trusted zone, but it works fine after that. This is how Microsoft does SSO in their own browser. I didn't actually read too much into this link, but it might get you going: http://archives.devshed.com/forums/php-windows-119/newb-get-username-that-is-currently-logged-in-to-windows-1765301.html Basically, having the user put your site into the 'Trusted' zone allows Javascript to call out to things, which it can't do with default security settings. After you get it, then you have to pass it to the server. If you want to get this automatically, make the entry page (index/default/whatever) run this javascript work, then at the tail end of it redirect the user to the login page using a GET or POST query to pass in the username. If it fails to get the username the login page can then just ask for it. At least, maybe it will give you enough to Google now. Regards, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
On Friday 27 July 2007 20:51:51 Dan Shirah wrote: All, I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? Thanks, Dan Not sure and not tested. If my memory correct there where some options in AD login scripts to update dns records of current machine. So if you can update logged machine dns records with containing current user information. You may retreive that information from dns. Otherwise (except Activex solutions) there is no other way to pull this kind of information from client. Regards Sancar -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
From: Dan Shirah [EMAIL PROTECTED] All, I looked on PHP.net but I couldn't not find anything suitable to answer my question. Within PHP, is there a way to pull the name of the user that is currently logged into the PC? I know with some of the _SERVER functions you can pull the IP of the machine and other data, is there a function within this family that would work? Thanks, Dan What operating system is being run on this personal computer? Who is running the PHP script? Is the PHP script being run from a web page or the command line? On a Mac, if I run phpinfo from a command line script, I see my user name in 6 entries with variants of USER and LOGNAME. If the user was logged into a PHP web page with say htaccess or a custom HTML Form, I could see the name he logged in with. _ Don't get caught with egg on your face. Play Chicktionary! http://club.live.com/chicktionary.aspx?icid=chick_hotmailtextlink2 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication problem
On Fri, April 29, 2005 8:50 am, Yavuz S. Atmaca said:
$sql = SELECT user_id
FROM tbl_auth_user
WHERE user_id = '$userId' AND
user_password = PASSWORD('$password');
Did you use the PASSWORD function when you inserted your passwords, or are
they just plain-text?
SELECT * FROM tbl_auth_user;
If you see 'secret' in the user_password field, you need to do:
UPDATE tbl_auth_user SET user_password = PASSWORD(user_password) WHERE
user_id = 1;
Or whatever user_id has a clear-text user_password.
That's about the only thing I can see that could be messing you up...
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication problem...
Ali a écrit :
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
|| ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) {
Better use $_SERVER['PHP_AUTH_USER'] instead of $PHP_AUTH_USER
and $_SERVER['PHP_AUTH_PW'] instead of $PHP_AUTH_PW.
Chapter 33. HTTP authentication with PHP
http://www.php.net/manual/en/features.http-auth.php
Christophe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Hi Ali, Visit http://zareef.users.phpclasses.org/browse/class/21.html You will find a lot of code. zareef ahmed On Tue, 28 Dec 2004 13:12:14 +1030, Ali [EMAIL PROTECTED] wrote: Hi everyone... can anyone lead me to a good tutorial on authentication...it wud be good if i can get a one in connection with a database.. thnks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage :: http://www.zareef.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Ali wrote: can anyone lead me to a good tutorial on authentication...it wud be good if i can get a one in connection with a database.. $all_good = query(SELECT valid_user FROM table); or use Google. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication Class
Bruno B B Magalhães wrote: Hi guys, well, I wrote a class for a big project (a framework), and here it is, I was wondering if someone have any suggestions regarding flexibility and security. Wow it's the most artistic piece of php i have ever seen. -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication Class
Is this good or bad? heheh! Regards, Bruno B B Magalhaes On Nov 16, 2004, at 3:31 PM, raditha dissanayake wrote: Bruno B B Magalhães wrote: Hi guys, well, I wrote a class for a big project (a framework), and here it is, I was wondering if someone have any suggestions regarding flexibility and security. Wow it's the most artistic piece of php i have ever seen. -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication question
On Tue, 2 Nov 2004 13:48:30 -0500, Kelly Meeks [EMAIL PROTECTED] wrote: I need to require username/password access in two distinct ways. PHP Generic Access Control Lists http://phpgacl.sourceforge.net/ -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication problems!
Do you mean using $file = '/protected/file.pdf'; or using an absolute path on the server? Best Regards, Scott Subject: Re: [PHP] authentication problems! From: Luke [EMAIL PROTECTED] Date: Wed, 21 Jan 2004 14:24:11 +1100 To: [EMAIL PROTECTED] Yeah, i think i mentioned the same thing(or was going to :/ ) you should be able to use the local filesystem, and reffer to it relatively! and then you can stream it and you wont need any authentication, and noone will be able to directly link to the file -- Luke Jason Wong [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wednesday 21 January 2004 05:49, Scott Taylor wrote: Please trim your posts! Of course there is not problem if the user is entering the information him or her self. But just using this code: $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf'; //now view the PDF file header(Content-Type: application/pdf); header(Accept-Ranges: bytes); header(Content-Length: .filesize($file)); readfile($file); from a PHP page where no authentication has occured does not work at all. Did you not read my reply to your previous thread about this? Use a local filesystem path to read the file. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* A dirty mind is a joy forever. -- Randy Kunkee */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication problems!
by using HTML I meant, typing the address in to the broswer as http://username:[EMAIL PROTECTED]/protected/file.pdf or as using the HTML: a href=http://username:[EMAIL PROTECTED]/protected/file.pdfLink.../a or using the header: header(Location: http://username:[EMAIL PROTECTED]/protected/file.pdf); also, there is no problem retrieving a pdf after passing http basic authentication (I just double checked this on a client's site and was appropriately prompted with a pdf handling dialog box after I authenticated). Of course there is not problem if the user is entering the information him or her self. But just using this code: $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf'; //now view the PDF file header(Content-Type: application/pdf); header(Accept-Ranges: bytes); header(Content-Length: .filesize($file)); readfile($file); from a PHP page where no authentication has occured does not work at all. Let me say, if this is not clear, that I do not want unique usernames and passwords for users. I want one username and password that WILL NEVER BE SEEN by the user. The way that I had planned was to keep ONE username and password which would allow access to all the files in a MySql database. After the user entered his name and email address, the username and password would be fetched off the database, and then authentication would occur with this username and password and the user would be served the file. The authentication would be completely transparent to the user. But the different ways to authenticate transparent to the user either do not work or reveal the username and password (making it pointless to even protect the files in the first place). Best Regards, Scott Taylor [EMAIL PROTECTED] wrote: there are a couple of different ways to do this. the http basic approach will work just fine. with http basic the id/pw are passed in the headers in an encoded string, so i'm not certain about your: if using HTML, the username password is easily seen statement. also, there is no problem retrieving a pdf after passing http basic authentication (I just double checked this on a client's site and was appropriately prompted with a pdf handling dialog box after I authenticated). now, http basic assumes that the id/pw are in a file/database/etc. the password is generally encrypted (des or md5) but can be in clear text. so, for this to work, you'd probably need some type of registration page that will store the id/pw info that the apache server will query against. [i strongly recommend using a database, not a file, due to file locking issues.] other approaches to this general issue include a URL mapping scheme. e.g., the public URL would drive the user through a one-time email/name collection process. when the user passes that they are served the document from the actual storage location. they can be done in a way that the true document URL is never shown. obviously you'd have to do this in a way that would give the fake URL as a .pdf so that the client will handle things correctly. -- Original Message -- From: Scott Taylor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tuesday, January 20, 2004 03:17:21 PM -0500 Subject: [PHP] authentication problems! I am about at my wits end trying to find a good solution to this problem. I've asked various portions of this question to this mail list and still have not found exactly what it is I am looking for, but here it goes. I'm looking for a way to protect my files (this would be pdf files, image files, etc...other things then text/php files) so that for someone to see a current file they will have to enter in their email address and name. Seems fairly simple, and yet I can not figure out how to do it. I've been told of the following alternatives: Protect the files with HTTP auth (basic, or use SSL if very paranoid), then, after entering the info into a database: 1. just link to http://username:[EMAIL PROTECTED]/protect/file.pdf (either directly using html, or use headers). The problem: if using HTML, the username password is easily seen. If using headers, this does not work (it is not seen as a PDF file) - my best guess is that the auth headers get passed along and so it does not work. Of course, I can load a PDF using headers if the file is not in a protected directory without any problems at all. But then again it wouldn't be protected to begin with. 1.b. It was later suggested that I could link to http://username:[EMAIL PROTECTED]/protect/file.pdf and use an apache rewrite statement to change every protected file to exclude the username password. But I've posted to an apache group and they have said that this CAN NOT be done. 2. link to something outside of my httpdocs directory. Unfortunately, I am on a shared server and do not have a private folder (or at least my _private directory which is contained
Re: [PHP] authentication problems!
On Wednesday 21 January 2004 05:49, Scott Taylor wrote: Please trim your posts! Of course there is not problem if the user is entering the information him or her self. But just using this code: $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf'; //now view the PDF file header(Content-Type: application/pdf); header(Accept-Ranges: bytes); header(Content-Length: .filesize($file)); readfile($file); from a PHP page where no authentication has occured does not work at all. Did you not read my reply to your previous thread about this? Use a local filesystem path to read the file. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* A dirty mind is a joy forever. -- Randy Kunkee */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication problems!
Yeah, i think i mentioned the same thing(or was going to :/ ) you should be able to use the local filesystem, and reffer to it relatively! and then you can stream it and you wont need any authentication, and noone will be able to directly link to the file -- Luke Jason Wong [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wednesday 21 January 2004 05:49, Scott Taylor wrote: Please trim your posts! Of course there is not problem if the user is entering the information him or her self. But just using this code: $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf'; //now view the PDF file header(Content-Type: application/pdf); header(Accept-Ranges: bytes); header(Content-Length: .filesize($file)); readfile($file); from a PHP page where no authentication has occured does not work at all. Did you not read my reply to your previous thread about this? Use a local filesystem path to read the file. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* A dirty mind is a joy forever. -- Randy Kunkee */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
--- Robert Sossomon [EMAIL PROTECTED] wrote: I currently use a .htaccess file for users to login, and now I need to make some changes to how the site works. I need to be able to have the users login, and once that is done the login needs to be used to pass through the database. Search PEAR (http://pear.php.net/), because I'm pretty sure there are aome authentication classes that let you use a database to store the access credentials. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
I am not trying to authenticate off of a database though. I have scripts that automatically modify the .htaccess file as I change a user, so I need to authenticate off the .htaccess file and store the users information into a cookie. I think from the cookie I can do everything else, just not sure how to get the information from the browser to show me the user of the page. ~~~ I am a quick leaner, dependable, and motivated. -Real live resume statement ~~~ -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 11:53 AM To: Robert Sossomon; [EMAIL PROTECTED] Subject: Re: [PHP] Authentication --- Robert Sossomon [EMAIL PROTECTED] wrote: I currently use a .htaccess file for users to login, and now I need to make some changes to how the site works. I need to be able to have the users login, and once that is done the login needs to be used to pass through the database. Search PEAR (http://pear.php.net/), because I'm pretty sure there are aome authentication classes that let you use a database to store the access credentials. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Robert Sossomon wrote: I am not trying to authenticate off of a database though. I have scripts that automatically modify the .htaccess file as I change a user, so I need to authenticate off the .htaccess file and store the users information into a cookie. I think from the cookie I can do everything else, just not sure how to get the information from the browser to show me the user of the page. ~~~ I am a quick leaner, dependable, and motivated. -Real live resume statement ~~~ -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 11:53 AM To: Robert Sossomon; [EMAIL PROTECTED] Subject: Re: [PHP] Authentication --- Robert Sossomon [EMAIL PROTECTED] wrote: I currently use a .htaccess file for users to login, and now I need to make some changes to how the site works. I need to be able to have the users login, and once that is done the login needs to be used to pass through the database. Search PEAR (http://pear.php.net/), because I'm pretty sure there are aome authentication classes that let you use a database to store the access credentials. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ Well, you could use PEAR::Auth to do these things without having to write to a .htaccess file (That's a potential security risk). Then answer to your question is $_SERVER['PHP_AUTH_USER']. That variable will give you the currently logged in user. $_SERVER['PHP_AUTH_PW'] is the password. -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
--- Robert Sossomon [EMAIL PROTECTED] wrote: I am not trying to authenticate off of a database though. I have scripts that automatically modify the .htaccess file as I change a user, so I need to authenticate off the .htaccess file and store the users information into a cookie. I think from the cookie I can do everything else, just not sure how to get the information from the browser to show me the user of the page. I'm not sure I understand, but you can get the username and password used in the HTTP authentication from these two variables: $_SERVER['PHP_AUTH_USER'] $_SERVER['PHP_AUTH_PW'] Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
Duh, OK, Now I REALLY feel stupid. With the current setup using the .htaccess files and everything I have in place all I needed to do was get the information from: $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. I kept thinking I had to use PHP to set those values. Thanks guys!! Works like a charm now! Robert (still learning PHP).. :) ~~~ Creditors have better memories than debtors. ~~~ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication variable
* Thus wrote BhongOng ([EMAIL PROTECTED]): Hi, I have some questions. Is it possible to pass login data such as username and password to the HTTP Basic Authentication dialog box from PHP? How do you code that? I know for sure with Basic authentication you can't. Is it also possible to get the variable data from the Authentication dialog once login? I tried putting phpinfo() in an index.php page inside the web protected directory but I can only see the username in the variables.. Answers to this and probably other questions that might come up about authentication: http://php.net/features.http-auth Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication system
Doug, On Thursday, July 3, 2003, at 05:42 AM, Doug Essinger-Hileman wrote: Now I need to learn how to take the incoming message and process it. I am assuming that the processing can be done by php. Any suggestions, either on how to do this, or where I might learn how to do this? The simple version of this is to say: please click on this link to confirm your membership http://domain/activate.php?id=123confirmCode=lkj23hkjtq In other words, they're activating via a URL, rather than replying to an email... it's a lot more portable than reading emails or pushing emails to command line PHP scripts. You need the random code (which should be generated upon registration, and kept track of in relation to the userid) to make sure people don't automate the process of confirming. Cheers, Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication system
there's a good example in this article A Complete, Secure User Login System by Tim Perdue http://www.phpbuilder.com/columns/tim2505.php3 olinux On 2 Jul 2003 at 13:00, Mike Migurski wrote: You may find it easier to include, in the e-mail, a uniquely-generated, limited-time URL that the person can visit to verify that they have received the e-mail. This will remove the burden of having to set up a system that responds to e-mail commands. Thanks, Mike. I think my brain is working undertime at the moment. Can you give me an example? (Or point me in the direction of one?) Doug __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication system
At the point where they fill out the registration form, I am sending them an email, informing them that they have been registered. On many sites I've gone to, the process then includes a requirement that the person reply to the message. Now I need to learn how to take the incoming message and process it. I am assuming that the processing can be done by php. Any suggestions, either on how to do this, or where I might learn how to do this? You may find it easier to include, in the e-mail, a uniquely-generated, limited-time URL that the person can visit to verify that they have received the e-mail. This will remove the burden of having to set up a system that responds to e-mail commands. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication system
On 2 Jul 2003 at 13:00, Mike Migurski wrote: You may find it easier to include, in the e-mail, a uniquely-generated, limited-time URL that the person can visit to verify that they have received the e-mail. This will remove the burden of having to set up a system that responds to e-mail commands. Thanks, Mike. I think my brain is working undertime at the moment. Can you give me an example? (Or point me in the direction of one?) Doug -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Beauford.2002 wrote: I am looking for a simple authentication script that uses MySQL. I have downloaded about 10 of them (most with no instructions on it's use), but even at that they are not what I need. The PEAR project has 7 different authentication packages, including Auth which I understand lets you design your own. PEAR code tends to be widely used and well-tested. Also there is a mailing list similar to this one dedicated to discussion of and support for PEAR projects. http://pear.php.net/packages.php?catpid=1catname=Authentication When you go to the main page of my site it will ask you to login or signup. So I want to be able to authenticate the user if he logs in (not to much of a problem here, but I want to protect all pages (I don't want to use cookies as not everyone has these enabled). What other options do I have? If anyone knows a small script that can be modified, or point me in the right direction of how to do this, it would be appreciated. If you really want to reinvent the wheel, write an include file that is included onto every page of your site except your login page and the ones that you don't need to protect. This include file should check for a flag that indicates whether or not the user is logged in. If the user is not logged in, send a redirect header to the login page followed immediately by an exit() call. This way none of your scripts will be accessible without the user being logged in. To handle the login, the simple way to do it is to accept a username and password input from the user on the login screen and ship these to the database or wherever your user list is kept and test to see if they are valid. If they are valid, set the flag in the user's session indicating that they are logged in (which is checked by the include file). For maximum security, use SSL and beware the possibility of session hijacking. If you don't want to use cookies, you can either embed the SID in all hyperlinks of your site or just recompile PHP with the --enable-trans-sid flag (unless you're on PHP 4.2 or greater). Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication question...
At 07:02 02.03.2003, Sunfire said:
[snip]
basic question about www-authenticate header...(least i hop its simple)
i have the code:
?php
header(WWW-Authenticate: basic realm='a realm');
header(HTTP/1.0 402 Unauthorized);//dont understand
//what this line does
echo you didnt login yet\n; //understand it but want
//something else like a header sent out...
dont understand what the second line is for and was wondering if that third
line that someone gets when you hit cancel can be turned into another
header? or is there a way to force a header block even if output has already
been put on the screen?
[snip]
To understand the header lines you need to have some basic knowledge of the
HTTP protocol. Start eating tht HTTP RFC:
http://www.w3.org/Protocols/rfc2616/rfc2616
This will also enlighten yo about the fact that a header cannot be senz
after content has been pushed out.
This said you can use output buffering
(http://www.php.net/manual/en/function.ob-start.php) to avoid output being
sent before the headers:
Example:
ob_start();
echo some stuff;
// we decide to redirect the client
ob_end_clean(); // clear the output buffer
header('Location: http://somewhere.com');
HTH,
--
O Ernest E. Vogelsinger
(\)ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] authentication problem
Is it the Win IIS authentication system ??? or apache .htaccess Daniel E Massón. Ingeniero de desarrollo [EMAIL PROTECTED] Imagine S.A. Su Aliado Efectivo en Internet www.imagine.com.co (57 1)2182064 - (57 1)6163218 Bogotá - Colombia - Soluciones web para Internet e Intranet - Soluciones para redes - Licenciamiento de Software - Asesoría y Soporte Técnico -Mensaje original- De: Oliver Witt [mailto:[EMAIL PROTECTED] Enviado el: viernes, 28 de febrero de 2003 10:44 Para: [EMAIL PROTECTED] Asunto: [PHP] authentication problem Hi again, My problem was about authentication without the default popup, but with a form that submits the credentials. I still didn't get it to work, so I'd like to know if anyone has ever done anything like that. I just can't get it to work right and I'd like to see a working script thx, Oliver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
I don't think the process is an extra step at all. In fact, it's just a trade off using one or the other. You can either login using php and a database backend or just authenticate using .htaccess directives. In my case (a few months back) what I was trying to do was offer up a single login page for 500 or so different companies each having their own directory on my server. Each directory is password protected via .htaccess. They would all login using my php interface which would in turn check the username and password for matching. Their database record would also contain the URL to their directory on my server. After logging in I tried to use a header call containing the username, password and URL but it never quite worked although you can actually do it in the address bar of the browser with ease. Theoretically it should work like a charm but I never got the chance to investigate any further because I was rushed off to the next Big Project. Ed On Mon, 3 Feb 2003, Chris Shiflett wrote: There is a way to supposedly do this by authenticating a username and password through php first through such methods as database lookups and then passing the username and password through $PHP_AUTH_USER and $PHP_AUTH_PW using the header() command to point to the URL of the .htaccess protected directory but I have never gotten it to work myself. The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available to you when the user authenticates via HTTP basic authentication. Thus, the user has already had to type in the username and password into a separate window, which is what the original poster is trying to avoid. To then send the user to another URL and supply the authentication credentials in the URL itself just creates an unnecessary step. There isnt any PHP pages directed towards teh directory itself. Its is just a hard link to the protected areas. Are there any functions that support it? Im googling now ;) I'm still having a bit of trouble interpreting your question, so Google might have a hard time, too. :-) If you are protecting static resources such as images and HTML files with your Web server currently, the only way to protect these with PHP is to store them outside of the document root (so that your Web server cannot serve them directly) and serve them with PHP (using header(Content-Type: whatever)) once you have determined whether the user should be allowed to access the particular resource. Hopefully that can help refine your search. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
[EMAIL PROTECTED] schrieb: I don't think the process is an extra step at all. In fact, it's just a trade off using one or the other. You can either login using php and a database backend or just authenticate using .htaccess directives. snip On Mon, 3 Feb 2003, Chris Shiflett wrote: There is a way to supposedly do this by authenticating a username and password through php first through such methods as database lookups and then passing the username and password through $PHP_AUTH_USER and $PHP_AUTH_PW using the header() command to point to the URL of the .htaccess protected directory but I have never gotten it to work myself. The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available to you when the user authenticates via HTTP basic authentication. Thus, the user has already had to type in the username and password into a separate window, which is what the original poster is trying to avoid. To then send the user to another URL and supply the authentication credentials in the URL itself just creates an unnecessary step. snip In fact you could combine .htaccess AND $PHP_AUTH cause its all depending on apache. Apache is looking for the variables AUTH_USER and AUTH_PW ... not PHP ... PHP just send this via header() and the Apache result is copyd to PHP_AUTH. That way you could use an PHP file to build the login page and an .htacces file to define the restrictions use something like FilesMatch \.(gif|jpe?g|png|htm|html)$ require valid-user /FilesMatch to restrict access to the specified files and note that the data of the .htpasswd must be the same as the user/password definitions of the database. Maybe you might use mod_auth_db instead of mod_auth. With FilesMatch instead of Limit you only protect files not the way/method how to get them. With the line above all .html files are protected and .php files are not. In combination with DirectoryMatch you could also make a special definition range ... you only have to beware of the MD5 password ... use ?php $password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2)); ? to generate a password valid for an .htacces file -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Goetz Lohmann schrieb: [EMAIL PROTECTED] schrieb: I don't think the process is an extra step at all. In fact, it's just a trade off using one or the other. You can either login using php and a database backend or just authenticate using .htaccess directives. snip On Mon, 3 Feb 2003, Chris Shiflett wrote: There is a way to supposedly do this by authenticating a username and password through php first through such methods as database lookups and then passing the username and password through $PHP_AUTH_USER and $PHP_AUTH_PW using the header() command to point to the URL of the .htaccess protected directory but I have never gotten it to work myself. The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available to you when the user authenticates via HTTP basic authentication. Thus, the user has already had to type in the username and password into a separate window, which is what the original poster is trying to avoid. To then send the user to another URL and supply the authentication credentials in the URL itself just creates an unnecessary step. snip In fact you could combine .htaccess AND $PHP_AUTH cause its all depending on apache. Apache is looking for the variables AUTH_USER and AUTH_PW ... not PHP ... PHP just send this via header() and the Apache result is copyd to PHP_AUTH. That way you could use an PHP file to build the login page and an .htacces file to define the restrictions use something like FilesMatch \.(gif|jpe?g|png|htm|html)$ require valid-user /FilesMatch to restrict access to the specified files and note that the data of the .htpasswd must be the same as the user/password definitions of the database. Maybe you might use mod_auth_db instead of mod_auth. With FilesMatch instead of Limit you only protect files not the way/method how to get them. With the line above all .html files are protected and .php files are not. In combination with DirectoryMatch you could also make a special definition range ... you only have to beware of the MD5 password ... use ?php $password=crypt($PHP_AUTH_PW,substr($PHP_AUTH_PW,0,2)); ? to generate a password valid for an .htacces file maybe take a look at http://www.diegonet.com/support/mod_auth_mysql.shtml ;-) -- @ Goetz Lohmann, Germany | Web-Developer Sys-Admin \/ -- () He's the fellow that people wonder what he does and || why the company needs him, until he goes on vacation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
--- Chris Winters [EMAIL PROTECTED] wrote: If you by chance come across a secure area that prompts the username and passcode to a folder Can you rephrase that? I can't tell what you are talking about. Does a separate window pop up prompting for a username and password, or is this part of the Web page in your browser? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Sorry about that. What I meant was for example, sometimes I come across protected sites that require a username and passcode. So, if one was to protect a directory or folder, a regular dialog will appear for username and passcode prompt within the web browser. I was researching some variables that I came across which is called $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE. At my location, on the network, when I reached a protected folder, I always have to enter the username and passcode within the browser (because its actually acessing an actual directory to list out). However, I would like to by pass that by a user entering the username and passcode via HTML, instead of the dialog showing. I hope that helps a little. Thanks Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... --- Chris Winters [EMAIL PROTECTED] wrote: If you by chance come across a secure area that prompts the username and passcode to a folder Can you rephrase that? I can't tell what you are talking about. Does a separate window pop up prompting for a username and password, or is this part of the Web page in your browser? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
--- Chris Winters [EMAIL PROTECTED] wrote: So, if one was to protect a directory or folder, a regular dialog will appear for username and passcode prompt within the web browser. I was researching some variables that I came across which is called $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE. Yes, these variables deal with HTTP basic authentication. I would like to by pass that by a user entering the username and passcode via HTML, instead of the dialog showing. In that case, you will want to do exactly as you say, collect the username and password via an HTML form and authenticate the credentials with PHP. It sounds like you are currently relying on your Web server to provide the access restrictions. So, you can either: 1. Keep HTTP basic authentication enabled in the Web server for these directories and live with the behavior. 2. Turn off HTTP basic authentication in the Web server and write a login page in PHP. It is then up to you to control access to whatever resources you want to protect, so this will require a bit of work on your part. Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Chris, Exactly. I am relying on the webserver to provide the restrictions. Now my next question: what functions should I utilize or come close to to do it? There isnt any PHP pages directed towards teh directory itself. Its is just a hard link to the protected areas. Are there any functions that support it? Im googling now ;) Thanks for your answers in advanced and previously. Chris Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... --- Chris Winters [EMAIL PROTECTED] wrote: So, if one was to protect a directory or folder, a regular dialog will appear for username and passcode prompt within the web browser. I was researching some variables that I came across which is called $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE. Yes, these variables deal with HTTP basic authentication. I would like to by pass that by a user entering the username and passcode via HTML, instead of the dialog showing. In that case, you will want to do exactly as you say, collect the username and password via an HTML form and authenticate the credentials with PHP. It sounds like you are currently relying on your Web server to provide the access restrictions. So, you can either: 1. Keep HTTP basic authentication enabled in the Web server for these directories and live with the behavior. 2. Turn off HTTP basic authentication in the Web server and write a login page in PHP. It is then up to you to control access to whatever resources you want to protect, so this will require a bit of work on your part. Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
There is a way to supposedly do this by authenticating a username and
password through php first through such methods as database lookups and
then passing the username and password through $PHP_AUTH_USER and
$PHP_AUTH_PW using the header() command to point to the URL of the
.htaccess protected directory but I have never gotten it to work myself.
if ($pass = $pass) {
header(Location:$PHP_AUTH_USER:$PHP_AUTH_PW@http://www.someprotectedsite.com;);
}
My command above my be wrong. I haven't tried it for a while. I know you
can do such a thing on the Address bar of any browser and pass it that way
though.
Ed
On Mon, 3 Feb 2003, Chris Winters wrote:
Chris,
Exactly. I am relying on the webserver to provide the restrictions.
Now my next question:
what functions should I utilize or come close to to do it? There isnt any
PHP pages directed towards teh directory itself. Its is just a hard link to
the protected areas. Are there any functions that support it?
Im googling now ;)
Thanks for your answers in advanced and previously.
Chris
Chris Shiflett [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
--- Chris Winters [EMAIL PROTECTED] wrote:
So, if one was to protect a directory or folder, a
regular dialog will appear for username and passcode
prompt within the web browser. I was researching some
variables that I came across which is called
$PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.
Yes, these variables deal with HTTP basic authentication.
I would like to by pass that by a user entering the
username and passcode via HTML, instead of the dialog
showing.
In that case, you will want to do exactly as you say,
collect the username and password via an HTML form and
authenticate the credentials with PHP. It sounds like you
are currently relying on your Web server to provide the
access restrictions.
So, you can either:
1. Keep HTTP basic authentication enabled in the Web server
for these directories and live with the behavior.
2. Turn off HTTP basic authentication in the Web server and
write a login page in PHP. It is then up to you to control
access to whatever resources you want to protect, so this
will require a bit of work on your part.
Hope that helps.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
I'm sorry the line should have been...
header(Location:http://$PHP_AUTH_USER:$[EMAIL PROTECTED];);
Ed
On Mon, 3 Feb 2003 [EMAIL PROTECTED] wrote:
There is a way to supposedly do this by authenticating a username and
password through php first through such methods as database lookups and
then passing the username and password through $PHP_AUTH_USER and
$PHP_AUTH_PW using the header() command to point to the URL of the
.htaccess protected directory but I have never gotten it to work myself.
if ($pass = $pass) {
header(Location:$PHP_AUTH_USER:$PHP_AUTH_PW@http://www.someprotectedsite.com;);
}
My command above my be wrong. I haven't tried it for a while. I know you
can do such a thing on the Address bar of any browser and pass it that way
though.
Ed
On Mon, 3 Feb 2003, Chris Winters wrote:
Chris,
Exactly. I am relying on the webserver to provide the restrictions.
Now my next question:
what functions should I utilize or come close to to do it? There isnt any
PHP pages directed towards teh directory itself. Its is just a hard link to
the protected areas. Are there any functions that support it?
Im googling now ;)
Thanks for your answers in advanced and previously.
Chris
Chris Shiflett [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
--- Chris Winters [EMAIL PROTECTED] wrote:
So, if one was to protect a directory or folder, a
regular dialog will appear for username and passcode
prompt within the web browser. I was researching some
variables that I came across which is called
$PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE.
Yes, these variables deal with HTTP basic authentication.
I would like to by pass that by a user entering the
username and passcode via HTML, instead of the dialog
showing.
In that case, you will want to do exactly as you say,
collect the username and password via an HTML form and
authenticate the credentials with PHP. It sounds like you
are currently relying on your Web server to provide the
access restrictions.
So, you can either:
1. Keep HTTP basic authentication enabled in the Web server
for these directories and live with the behavior.
2. Turn off HTTP basic authentication in the Web server and
write a login page in PHP. It is then up to you to control
access to whatever resources you want to protect, so this
will require a bit of work on your part.
Hope that helps.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
There is a way to supposedly do this by authenticating a username and password through php first through such methods as database lookups and then passing the username and password through $PHP_AUTH_USER and $PHP_AUTH_PW using the header() command to point to the URL of the .htaccess protected directory but I have never gotten it to work myself. The variables $PHP_AUTH_USER and $PHP_AUTH_PW are available to you when the user authenticates via HTTP basic authentication. Thus, the user has already had to type in the username and password into a separate window, which is what the original poster is trying to avoid. To then send the user to another URL and supply the authentication credentials in the URL itself just creates an unnecessary step. There isnt any PHP pages directed towards teh directory itself. Its is just a hard link to the protected areas. Are there any functions that support it? Im googling now ;) I'm still having a bit of trouble interpreting your question, so Google might have a hard time, too. :-) If you are protecting static resources such as images and HTML files with your Web server currently, the only way to protect these with PHP is to store them outside of the document root (so that your Web server cannot serve them directly) and serve them with PHP (using header(Content-Type: whatever)) once you have determined whether the user should be allowed to access the particular resource. Hopefully that can help refine your search. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Read this: http://www.php.net/features.http-auth Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication programming
Hi Justin, Thanks for that link, looks pretty interesting. I'll take a closer read later. Cheers, Jord -- Jordan Elver Eagles may soar high, but weasels don't get sucked into jet engines. -- David Brent (The Office) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication programming
Devarticles has a series of Authentication tutorails and the a tutorial on
OOP itself. Here are the links:
http://www.devarticles.com/art/1/349
-- Member Script Tutorial: --
-- There are 6 parts --
http://www.devarticles.com/art/1/241
http://www.devarticles.com/art/1/245
http://www.devarticles.com/art/1/262
http://www.devarticles.com/art/1/285
http://www.devarticles.com/art/1/323
Part six isn't up yet so check back to the same site later...
- Original Message -
From: Jordan Elver [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 14, 2003 3:07 PM
Subject: [PHP] Authentication programming
: Hi,
: I'm about to start a new project which will require a login system. The
system
: should allow for different types of access on a per page basis. I'm going
to
: achieve the login system using sessions, which I have done before.
:
: My problem is that I don't want to have to do much login checking on the
: actual pages within the system. I would like it to be included and handled
: oustide of the main application.
:
: ?php
: /* authenticate */
: $page_permission = 'admin';
: include('includes/login.inc');
:
: /* other page functionality */
:
: ?
:
: So, you set the permission for the individual page. I would also like to
do
: this as a class, which I am not experienced in. I haven't found any very
: elegent solutions to this. Could anyone point out some urls or anything to
: show me in the right direction?
:
: Cheers,
: Jord
: --
: Jordan Elver
: There's no 'I' in 'team'. But then there's no 'I' in 'useless smug
colleague',
: either. And there's four in 'platitude-quoting idiot'. Go figure. -- David
: Brent (The Office)
:
:
: --
: PHP General Mailing List (http://www.php.net/)
: To unsubscribe, visit: http://www.php.net/unsub.php
:
:
:
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication programming
on 15/01/03 7:07 AM, Jordan Elver ([EMAIL PROTECTED]) wrote:
Hi,
I'm about to start a new project which will require a login system. The system
should allow for different types of access on a per page basis. I'm going to
achieve the login system using sessions, which I have done before.
My problem is that I don't want to have to do much login checking on the
actual pages within the system. I would like it to be included and handled
oustide of the main application.
yes
?php
/* authenticate */
$page_permission = 'admin';
include('includes/login.inc');
/* other page functionality */
?
yes same thing I do
So, you set the permission for the individual page. I would also like to do
this as a class, which I am not experienced in. I haven't found any very
elegent solutions to this. Could anyone point out some urls or anything to
show me in the right direction?
it's not *exactly* what you want at all, but if you've got a brain, you can
adapat the concept to what you want with ease (I have)... there is an
article on sitepoint.com / webmasterbase.com by kevin yank.
http://www.WebmasterBase.com/article/319
basically, he ends up with a script called 'restricted.php' which he
includes at the top of any page which he wants to restrict to logged in
users only...
it works fine, but needs updating to account for $_POST/GET/SESSION etc, but
should give you the principals to adapt or write your own.
Cheers,
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication: HTTP or homegrown?
Jackson, It really depends on what you are wanting to protect, but in most cases, it is better to use a homegrown solution. If you are interested in why I say this, read on ... HTTP authentication has two breeds, basic and digest. With basic, the *authentication* credentials (e.g., name and password) are passed in clear text for every single request to a protected resource (so, probably for every request for a page in your application). So, even if you do not use SSL, using your own authentication and then switching to PHP sessions only exposes the user's authentication credentials once. There are other disadvantages as well, such as depending on the client's browser for things like timeout, removing the control from yourself. Digest authentication addresses the major concern of exposed authentication credentials as well as many other minor ones, but support for it is inconsistent, and only newer browsers are going to have good support. So, while it is definitely a better alternative to basic authentication, it is not a good option for most people. Using your own does not require much work if you don't want it to. Even a simple username and password collection combined with the out of the box PHP sessions solution is probably more suitable in most cases than HTTP's native authentication. Now, arguments for HTTP authentication would weigh heavier for static resources such as images and HTML files that you want to protect without relying on server-side code (for example, in cases where there is no support for PHP, mod_perl, etc.). That's my opinion anyway ... Chris Jackson Miller wrote: I am curious what method of authentication is preferred by people on this list. Are you using PHP scripts for authentication and limiting access, or are you using HTTP header info. Maybe it is best to use both. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Have a look at Kevin Yank's article on sitepoint.com called something like restricting page access with php and mysql. It formed the basis of my user and session management. Basically, you should be re-checking your username and password on every page, so it shouldn't be too hard to extend this to check for which course numbers they've paid for. You'll also need to extend it so that some pages are not restricted (eg home), but still maintain/carry the session. I guess what I'm saying is to keep as much data as possible in the database, rather than in sessions, because sessions, cookies etc etc can all be spoofed or hijacked. So at the top of each page, you're checking: - if the username and password match the database - if the course # requested has been paid for If yes, then show page, else tell 'em to go away :) That's what I'd be doing... otherwise, you've asked how to assign a variable to a session, pretty much. $_SESSION['coursepaidfor'] = 45; Which should be pretty easy to compare. Justin French on 08/07/02 7:20 PM, Anthony Rodriguez ([EMAIL PROTECTED]) wrote: Dear Richard, Again thank you for your reply. I'm sorry to keep bothering you. Please tell me when to stop. Let me explain what I'm trying to do and maybe you'll point me in the right direction. I'm developing a paid Web site for business courses. Some pages will be available to all visitors (e.g. the Home page). Other pages will be available to paid visitors. The usernames, passwords, and courses paid for will be stored in a MySQL table. One of the pages will be a form to ask a user for his/her username, password, and course paid for. The form will be sent to a PHP script that validates the responses. I' know how to do this. In that PHP script I'd like to create a session variable (i.e.: the course #) that would be used to validate each page of the course. At the top of each course page (PHP script) there would be an if statement (if course # equals session variable display page, else go elsewhere). Can you help? Thank you! Tony -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
Use sessions. Create a user_id and pass that as a session variable rather than the user's actual login and password. -Original Message- On my site, when a user logs in, their password is encrypted using md5() and the username and encrypted password is then passed from page to page using hidden form inputs (clicking on a link submits the form using POST). Does anyone have any comments on this method e.g. security wise? I know I could use sessions or cookies but is it relly necessary? This message is intended for the sole use of the individual and entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended addressee, nor authorized to receive for the intended addressee, you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete the message. Thank you very much. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Sessions make life so much eaiser, in my opinion. I used to do what you do, passing from one page the next. Now, when a user successfully logs in, ONE line of code passes all the necessary variables from page to page without me having to do a damn thing. I don't personally see TOO much wrong with passing the encrypted password along, especially since you aren't displaying it in the URI's query string. BUT, if someone DID get a hold of the encrypted password, they can run millions of words through md5() until one matched. I would hope that people aren't bored enough to do that, but past actions have proved that wrong. The magic line: session_start(). That's it. It holds ALL information about the session, and makes my life SO much eaiser. HTH Martin Peter [EMAIL PROTECTED] 07/03/02 03:32PM On my site, when a user logs in, their password is encrypted using md5() and the username and encrypted password is then passed from page to page using hidden form inputs (clicking on a link submits the form using POST). Does anyone have any comments on this method e.g. security wise? I know I could use sessions or cookies but is it relly necessary? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Authentication
I agree with Ed. Use sessions. It's more secure that how you are doing it because theusername is not stored in the page and retransmitted each page. =C= * * Cal Evans * The Virtual CIO * http://www.calevans.com * -Original Message- From: Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 03, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: [PHP] Authentication On my site, when a user logs in, their password is encrypted using md5() and the username and encrypted password is then passed from page to page using hidden form inputs (clicking on a link submits the form using POST). Does anyone have any comments on this method e.g. security wise? I know I could use sessions or cookies but is it relly necessary? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Lazor, Ed wrote: Use sessions. Create a user_id and pass that as a session variable rather than the user's actual login and password. -Original Message- On my site, when a user logs in, their password is encrypted using md5() and the username and encrypted password is then passed from page to page using hidden form inputs (clicking on a link submits the form using POST). Does anyone have any comments on this method e.g. security wise? I know I could use sessions or cookies but is it relly necessary? This is good advice. There are many reasons why, but here's one off the top of my head: When you pass the encrypted password around, you can pretty much consider it in the public domain, right? Well, what happens when someone else takes that encrypted password (why bother decrypting it?) and presents it back to your site? That's right; they're in. This is called a presentation attack, and you'd be amazed at how many sites are vulnerable to this (I wrote an article a while back about how to break into MS Passport using this technique). How do sessions help against this? Well, they don't solve the problem entirely, of course, but the unique ID you pass around won't be the same unique ID *every* time that user visits the site. So, you at least have a good chance of making the window of time that an imposter has to work with very small. Security is all about making things really hard for potential attackers. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Chris Shiflett wrote:
How do sessions help against this? Well, they don't solve the problem
entirely, of course, but the unique ID you pass around won't be the same
unique ID *every* time that user visits the site. So, you at least have
a good chance of making the window of time that an imposter has to work
with very small.
If you want to avoid even this small window, just store on a db file the
session numbers you give away, along with the IP address of the user who
got it. Then when you get a new request for that session check the IP
you are getting it from and you are 100% sure the guy is who he says to be.
There is one side-effect, though. Users on unstable dial-up lines do
lose their sessions when they get disconnected and call again. It may
have an impact on sales.
Alberto
Kiev
--
-_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Alberto Serra wrote: Chris Shiflett wrote: How do sessions help against this? Well, they don't solve the problem entirely, of course, but the unique ID you pass around won't be the same unique ID *every* time that user visits the site. So, you at least have a good chance of making the window of time that an imposter has to work with very small. If you want to avoid even this small window, just store on a db file the session numbers you give away, along with the IP address of the user who got it. Then when you get a new request for that session check the IP you are getting it from and you are 100% sure the guy is who he says to be. The 100% part is inaccurate. :) IPs can also be spoofed, but this is good advice, because it further complicates attacks. Anything you can do to make an attack more difficult is a good idea, but you can get to a point where the decrease in risk just isn't going to be worth the extra effort. So, while Mr. Serra's suggestion is a very good one, remember that any security model can be improved. As a caveat to Mr. Serra's suggestion, remember that there are *many* users who will go through an IP masquerading gateway or proxy, so their IP may fluctuate, even though they are actively browsing. For this reason, it is often necessary to tolerate some fluctuation in the IP address, perhaps only in the last octet though. Another thing some people use to strengthen their security model is to involve some sort of sequence number in the data that the client sends back. For example, instead of just a session ID, perhaps you have a cookie, URL variable, or whatever that is an encrypted (two-way so you can decrypt it) session ID, sequence number, and anything else you might think of to include. When you decrypt this at the beginning of each script, you make sure the sequence number is not less than the last sequence number sent (which you store on the server), that the timestamp is acceptable to you, and that the session ID in the encrypted string matches the session ID they are using. This presents a sort of race condition for a potential attacker where he/she must respond with the sequence number prior to the client's next request. This will make the window of opportunity as small as the client's time spent on a particular page. That's just another idea or two. You can probably improve on that with your own creativity; just don't get carried away. :) Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
On Thursday 04 July 2002 09:09, Chris Shiflett wrote: As a caveat to Mr. Serra's suggestion, remember that there are *many* users who will go through an IP masquerading gateway or proxy, so their IP may fluctuate, even though they are actively browsing. For this reason, it is often necessary to tolerate some fluctuation in the IP address, perhaps only in the last octet though. This can be self-defeating in that an attacker in the same network segment of the user is probably in the best position to sniff and hijack the session that you're trying to protect. Allowing this leeway makes the attacker's job much easier! -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Life, loathe it or ignore it, you can't like it. -- Marvin, Hitchhiker's Guide to the Galaxy */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Chris Shiflett wrote:
Alberto Serra wrote:
If you want to avoid even this small window, just store on a db file
the session numbers you give away, along with the IP address of the
user who got it. Then when you get a new request for that session
check the IP you are getting it from and you are 100% sure the guy is
who he says to be.
The 100% part is inaccurate. :)
Much too true LOLOL
As a caveat to Mr. Serra's suggestion, remember that there are *many*
users who will go through an IP masquerading gateway or proxy, so
their IP may fluctuate, even though they are actively browsing. For
this reason, it is often necessary to tolerate some fluctuation in
the IP address, perhaps only in the last octet though.
Thanks, I guess I'll just do that. I was actually wondering how to leave
this barrier up without being nasty to normal users. That also solves
the dial-up problem, at least much of it, as callers will fluctuate
mostly on the last octet if they do reconnect through the same ISP,
right? Besides, IP masquerading gateways ARE a problem with the
suggestion I gave. And I guess this also explains why we are having so
much trouble in counting users (that is, IPs) whenever ADSL connection
come around. Any suggestion?
Another thing some people use to strengthen their security model is to
involve some sort of sequence number in the data that the client sends
back. For example, instead of just a session ID, perhaps you have a
cookie, URL variable, or whatever that is an encrypted (two-way so you
can decrypt it) session ID, sequence number, and anything else you
might think of to include.
So you mean I have a 32 byte MD5 session id to identify the current
visit, plus another such thing to identify the step within it, right?
But why decrypting it? A presentation attack would give it back to
server in the encrypted form anyway. What do we lose by just generating
a random MD5 key and using it as it is with no encrypted meaning?
Now, just tell me if I got you right. Since we are comparing 3 IP octets
plus the two MD5 keys we get an attack window like this:
hacker has three matching octets on his IP, plus he does attack while
the real user is still using the visit-session/content-session key the
hacker has stolen, right? This makes it dangerous for last pages (those
seen right before exiting site), as they actually last for ages.
Anyway, it DOES seems more than enough security to me.
Thanks a lot!
Alberto
Kiev
--
-_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Alberto Serra wrote: So you mean I have a 32 byte MD5 session id to identify the current visit, plus another such thing to identify the step within it, right? But why decrypting it? A presentation attack would give it back to server in the encrypted form anyway. What do we lose by just generating a random MD5 key and using it as it is with no encrypted meaning? I probably didn't explain this well enough; I was in a hurry earlier. :) People who use this method of including an encrypted string (I've only used it on maybe two sites, because it does incur a performance hit) are *adding* to whatever security methods they are already using. So, in the case of using PHP's regular session management and adding the IP address, sequence number, and timestamp as an encrypted string, you get these two pieces of data residing with the client: 1. PHPSESSID in a cookie 2. Really long encrypted string in a cookie, in every URL, or whatever. Item #2 is generated again on each page. It could be something like this when decrypted: ip=xxx.xxx.xxx.xxxtimestamp=-mm-ddseq_num=13 The idea is to make it very difficult to successfully pull off a presentation attack. If someone intercepts the encrypted string (which you should basically assume is going to happen), it's not going to do them any good unless they can achieve the following: 1. Make their IP address appear as close to the real user's IP address as necessary, depending on the type of checking you're doing 2. Make sure they request the next page before the real user does, so that the sequence number is correct 3. Do all of this within whatever window of time you allow as a maximum before the session times out, based on the timestamp in the encrypted string. or: 1. Decrypt the string Decryption can take a lot of time, depending on the algorithm you choose. Additionally, if you make sure the sequence number is exactly what you're expecting (rather than just making sure it hasn't already been passed), prompting for a password otherwise, you make it difficult for the attacker to choose the right one. Either way, if you can make them attempt the decryption rather than any of the other methods, you've done a pretty good job tightening everything up. Most people aren't going to go through the hassle of that. Now, just tell me if I got you right. Since we are comparing 3 IP octets plus the two MD5 keys we get an attack window like this: hacker has three matching octets on his IP, plus he does attack while the real user is still using the visit-session/content-session key the hacker has stolen, right? This makes it dangerous for last pages (those seen right before exiting site), as they actually last for ages. This is where the maximum window comes in. You should have a maximum window that you tolerate for the users. You'll want to balance usability with security here; don't annoy your users too much. :) Having the sequence number just adds the ability to make this window of time much smaller, as most users will browse through a site much more quickly than most timeouts. Though the last page opportunity you speak of does exist, the attacker must guess the correct transaction as well as accomplish the feat within your maximum window. These are just some ideas, mind you. Many people (you sound like such a person) can develop their applications quite securely once they can step back and see the big picture and follow a few general guidelines, such as not trusting data from the client. In this case, the data from the client is like a driver's license, and rather than just use the license number, we're also checking their photograph and other personal information, so that an imposter has a more difficult time. :) Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Jason Wong wrote:
On Thursday 04 July 2002 09:09, Chris Shiflett wrote:
As a caveat to Mr. Serra's suggestion, remember that there are *many*
users who will go through an IP masquerading gateway or proxy, so their
IP may fluctuate, even though they are actively browsing. For this
reason, it is often necessary to tolerate some fluctuation in the IP
address, perhaps only in the last octet though.
This can be self-defeating in that an attacker in the same network segment of
the user is probably in the best position to sniff and hijack the session
that you're trying to protect. Allowing this leeway makes the attacker's job
much easier!
That's true. And since I am making a core structure that has to be
shared by users having different security needs I guess I better leave
this configurable just as the time-out interval. So local admins may
decide on their own which level of security they want to apply to their
sites.
Thanks for helping :))
Alberto
Kiev
--
-_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
On Thu, 4 Jul 2002, Alberto Serra wrote: As a caveat to Mr. Serra's suggestion, remember that there are *many* users who will go through an IP masquerading gateway or proxy, so their IP may fluctuate, even though they are actively browsing. For this reason, it is often necessary to tolerate some fluctuation in the IP address, perhaps only in the last octet though. Thanks, I guess I'll just do that. I was actually wondering how to leave this barrier up without being nasty to normal users. That also solves the dial-up problem, at least much of it, as callers will fluctuate mostly on the last octet if they do reconnect through the same ISP, right? Besides, IP masquerading gateways ARE a problem with the suggestion I gave. And I guess this also explains why we are having so much trouble in counting users (that is, IPs) whenever ADSL connection come around. Any suggestion? I'd suggest ignoring IP altogether and focusing on other tactics. There are just too many pitfalls in trusting IPs and too much user annoyance possible from not trusting them. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication
Miguel Cruz wrote:
I'd suggest ignoring IP altogether and focusing on other tactics. There
are just too many pitfalls in trusting IPs and too much user annoyance
possible from not trusting them.
Well, the way I made it admins get emailed each every time a user gets
refused
because of a bad IP, and they can decide to apply a control policy from
0 to 4
octets check. It seems fair to me: admins will be annoyed by emails just as
much as users will be annoyed by their security policy. This should lead to
some balance, in the long run :)
Chances are most commercial sites will set the check IP rule to 0 but in
case someone wants a strict check he can configure the system to do so.
I guess this will fit everybody. And of course we do have all the other
stuff, so even without IP checks the systems remain pretty secure.
Thanks for helping
Alberto
Kiev
--
-_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication with register_globals OFF
On Sat, 11 May 2002 21:21:27 -0400, you wrote:
Trying to get accustomed to PHP 4.2.0 and PHP's preference for
register_globals off, I have register_globals off.
However, when I try to use $PHP_AUTH_USER and $PHP_AUTH_PW, my script fails
(attempting to validate username and password credectials against MySQL...no
error message and my login failure message does not show up, even after
three unsuccessful challenge responses.
When I set register_globals on, I am successful in gaining authorization
(ie, the header('WWW-Auth' is correct, the script works, the MySQL
connection works and the query works).
How, then do I define th $PHP_AUTH_USER and $PHP_AUTH_PW variables up front
with register_globals off?
They are in the $_SERVER superglobal. Change your references to them
to...
$_SERVER['PHP_AUTH_USER']
and
$_SERVER['PHP_AUTH_PW']
You might want to read up on what register_globals actually does since
it's clear that you don't fully understand it yet:
http://www.php.net/manual/en/security.registerglobals.php
--
Stuart
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication with register_globals OFF
Thanks, Stuart.
I'll admit I don't fully I understand register_globals. Beyond that, I am
sure I am not clear on the value of NOT using register_globals. I am wading
through the docs constantly. Haven't quite finished.
Regardless, thanks for the assist.
Mike
- Original Message -
From: Stuart Dallas [EMAIL PROTECTED]
To: Mike P [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, May 11, 2002 10:03 PM
Subject: Re: [PHP] Authentication with register_globals OFF
On Sat, 11 May 2002 21:21:27 -0400, you wrote:
Trying to get accustomed to PHP 4.2.0 and PHP's preference for
register_globals off, I have register_globals off.
However, when I try to use $PHP_AUTH_USER and $PHP_AUTH_PW, my script fails
(attempting to validate username and password credectials against
MySQL...no
error message and my login failure message does not show up, even after
three unsuccessful challenge responses.
When I set register_globals on, I am successful in gaining authorization
(ie, the header('WWW-Auth' is correct, the script works, the MySQL
connection works and the query works).
How, then do I define th $PHP_AUTH_USER and $PHP_AUTH_PW variables up front
with register_globals off?
They are in the $_SERVER superglobal. Change your references to them
to...
$_SERVER['PHP_AUTH_USER']
and
$_SERVER['PHP_AUTH_PW']
You might want to read up on what register_globals actually does since
it's clear that you don't fully understand it yet:
http://www.php.net/manual/en/security.registerglobals.php
--
Stuart
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] authentication
There are several ways to do that, But in your case, I believe the best would be having a page somewhere and include the protected files. Alternativelly look into the Chapter 17. of PHP Documentation: HTTP authentication with PHP http://it2.php.net/manual/en/features.http-auth.php Sincerely, Maxim Maletsky Founder, Chief Developer www.PHPBeginner.com // where PHP Begins I have one directory that is protected with an .htaccess file on my server where I store all member content. What I want to do is have a page where members can log in, and after they have entered there user name and password I what the php script to authenticate them against the .htaccess file. If they are authenticated I would like to keep track of that as one of there session variables, so that they do not have to re-authenticate when they try to access content in the protected directory. Essentially what I am trying to do is give them access to the .htaccess protected based from a submit form. Instead of requiring that they get the standard user name and password pop up window that one gets when you try to access a directory that is password protected on Apache. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
At 23.04.2002 09:52, you wrote: I have one directory that is protected with an .htaccess file on my server where I store all member content. What I want to do is have a page where members can log in, and after they have entered there user name and password I what the php script to authenticate them against the .htaccess file. If they are authenticated I would like to keep track of that as one of there session variables, so that they do not have to re-authenticate when they try to access content in the protected directory. Essentially what I am trying to do is give them access to the .htaccess protected based from a submit form. Instead of requiring that they get the standard user name and password pop up window that one gets when you try to access a directory that is password protected on Apache. Why do you want to make such a hassle ?? If you auth via Apache, then it´s a secure thing, as these vals where put secure. If you want people to access a hidden directory or a .htyccess closed dir, you´ll send their user/pw combination plaintext, unless you use https. Also, if they auth´ed one time, the browser will remember the data, until it is closed. The auth-popup will be shown in the browsers language. If you want apache, to get scripts or data from a secured directory, forget it or include the apache user in the .htpasswd, but that´s not a good idea. HTH Oliver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Anybody know how to revoke the HTTP authentication, i.e. log people out, using PHP? Cheers, -Morten --- Rayon Interactive AS http://www.rayon.no Morten Lerskau Rønseth mailto:[EMAIL PROTECTED] Karenslyst Allé 16d Tlf.: (47) 2213 5250 0278 OsloFax : (47) 2213 5260 Norway Mob.: (47) 9343 4357 From: [EMAIL PROTECTED] Date: Tue, 23 Apr 2002 20:43:23 +0200 To: [EMAIL PROTECTED] Subject: Re: [PHP] authentication At 23.04.2002 09:52, you wrote: I have one directory that is protected with an .htaccess file on my server where I store all member content. What I want to do is have a page where members can log in, and after they have entered there user name and password I what the php script to authenticate them against the .htaccess file. If they are authenticated I would like to keep track of that as one of there session variables, so that they do not have to re-authenticate when they try to access content in the protected directory. Essentially what I am trying to do is give them access to the .htaccess protected based from a submit form. Instead of requiring that they get the standard user name and password pop up window that one gets when you try to access a directory that is password protected on Apache. Why do you want to make such a hassle ?? If you auth via Apache, then it´s a secure thing, as these vals where put secure. If you want people to access a hidden directory or a .htyccess closed dir, you´ll send their user/pw combination plaintext, unless you use https. Also, if they auth´ed one time, the browser will remember the data, until it is closed. The auth-popup will be shown in the browsers language. If you want apache, to get scripts or data from a secured directory, forget it or include the apache user in the .htpasswd, but that´s not a good idea. HTH Oliver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Morten Ronseth wrote: Anybody know how to revoke the HTTP authentication, i.e. log people out, using PHP? You can't --- Michael Kimsal http://www.phphelpdesk.com Guaranteed PHP support when you need it 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] authentication
Use javascript and close the browser, that's all I can think of. -Original Message- From: Michael Kimsal [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 3:04 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] authentication Morten Ronseth wrote: Anybody know how to revoke the HTTP authentication, i.e. log people out, using PHP? You can't --- Michael Kimsal http://www.phphelpdesk.com Guaranteed PHP support when you need it 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
Brian Drexler wrote: Use javascript and close the browser, that's all I can think of. I wasn't aware you could close an entire browser - only a specific window. If the browser instance has any open windows, I believe the authentication will still be active. Michael Kimsal http://www.phphelpdesk.com Guaranteed PHP support when you need it 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
On Tue, 23 Apr 2002, Morten Ronseth wrote: Anybody know how to revoke the HTTP authentication, i.e. log people out, using PHP? With most browsers, you can send HTTP status 401 and re-send your realm in the WWW-Authenticate header. The browser will assume its cached credentials have become invalid and toss them, asking the user once again to log in. It's still a little awkward, and is one more reason why using session/cookie-based auth is much friendlier. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] authentication
If you go to a site that has a password protected directory and you access a file in that directory, you have to enter your user name and password. After you have entered your user name and password, as long as you keep the browser window open you can navigate to any other file that is in the password protected directory. I can only assume that some sort of session has been started that allows you to do this with out having to keep re-authenticating. What I need to be able to do is start this session and authenticate the user with out actually having them log in via the pop up window. I would think that there should be some way of doing this. I thought of writing a include statement that looked something like this. Include(http://username:[EMAIL PROTECTED]/members/); which I believe would work but it seems like kind of a ugly way of doing it. If it is a session that is keeping track of authenticated users, is there some way of initiating via a script? I hope this makes it a little more clear as to what I am trying to accomplish. Thanks in advance for any help. Mike -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:18 PM To: Morten Ronseth Cc: [EMAIL PROTECTED] Subject: Re: [PHP] authentication On Tue, 23 Apr 2002, Morten Ronseth wrote: Anybody know how to revoke the HTTP authentication, i.e. log people out, using PHP? With most browsers, you can send HTTP status 401 and re-send your realm in the WWW-Authenticate header. The browser will assume its cached credentials have become invalid and toss them, asking the user once again to log in. It's still a little awkward, and is one more reason why using session/cookie-based auth is much friendlier. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication
I believe your choices are either: 1. use .htaccess authentication, which is usually constant for the time the browser program is open. 2. develop your own user/pass system with sessions I don't believe the two can work hand-in-hand. Justin French - http://indent.com.au http://soundpimps.com - on 24/04/02 2:52 AM, Fifield, Mike ([EMAIL PROTECTED]) wrote: I have one directory that is protected with an .htaccess file on my server where I store all member content. What I want to do is have a page where members can log in, and after they have entered there user name and password I what the php script to authenticate them against the .htaccess file. If they are authenticated I would like to keep track of that as one of there session variables, so that they do not have to re-authenticate when they try to access content in the protected directory. Essentially what I am trying to do is give them access to the .htaccess protected based from a submit form. Instead of requiring that they get the standard user name and password pop up window that one gets when you try to access a directory that is password protected on Apache. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication with sessions - Recommendation and suggestions?
On Wednesday, February 13, 2002, at 08:51 PM, Harry Yu wrote: Can anyone give me any suggestions or recommendations? Is there any security concerns? Also, the session files are in a directory that is not world readable. I just set up my own first authentication system, and it works very similar to yours. I think you should turn register_globals off if you really want security. PHP 4.1.0 has some neat shortcuts to make your life easier if you do this. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Authentication Pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * On 22-01-02 at 13:49 * Nicolas Llamosas said Where can I find some information about Authentication Pages, login, pass, using php, apache and mysql? All the usuall places. Have you not seen these sites: www.phpbuilder.com www.devshed.com www.zend.com They're fundemental to learning PHP (well, almost) - -- Nick Wilson Tel:+45 3325 0688 Fax:+45 3325 0677 Web:www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8TW2vHpvrrTa6L5oRAg6iAJ0V/4TK4qt283EajP+uIHYiJOiSJgCdEr4Q bEyANJX3dqVjNvjQKInUsVk= =tnfy -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authentication Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * On 14-01-02 at 09:48 * Ben Clumeck said I am new to MySQL and PHP. I am wondering how Authentication through PHP and MySQL. How does a username and password now where to take that user? An example is online banking. You enter your account number for (username) and your password. How does it know where to go for your specific account? I am looking to create a system similar to online banking. I appreciate your help. Start by having a look at the crypt() function in the manual then check out www.phpbuilder.com www.devshed.com for articles relating to this topick. (I seem to remember there being a couple on one or both of those sites) - -- Nick Wilson Tel:+45 3325 0688 Fax:+45 3325 0677 Web:www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Qp7rHpvrrTa6L5oRAm1kAJ0epBcWeDdJBHg3DlS32nqe1vyEWgCfbmGD HIH+FMlUCRb8DDIDLLYhYXY= =GUQE -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] authentication help
?php
if($namethename and $passthepass)
{
tothis
}
else
{
dothat
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: PHP Authentication on Apache
Yes. It works. It is great.
if(!isset($PHP_AUTH_USER) or $PHP_AUTH_USER != myuser or $PHP_AUTH_PW
!= mypassword) {
Header(WWW-Authenticate: Basic realm=\Only authorizeds web\);
Header(HTTP/1.0 401 Unauthorized);
echo ha!\n;
exit;
}
Lynn Holt wrote:
Hi all,
Trying PHP for the first time. Snached the
authentication code from the docs and put it in phpauth.php.
When I surf to it, it just asks for my
user and password again and again If I hit Cancel, it prints the
little message just fine. Here's the code in case I'm the
only one to RTFM:
---
Example 17-1. HTTP Authentication example
?php
if(!isset($PHP_AUTH_USER)) {
header(WWW-Authenticate: Basic realm=\My Realm\);
header(HTTP/1.0 401 Unauthorized);
echo Text to send if user hits Cancel button\n;
exit;
} else {
echo pHello $PHP_AUTH_USER./p;
echo pYou entered $PHP_AUTH_PW as your password./p;
}
?
-
I have php 4.0.6 installed as a module(DSO) in apache 1.3.20 and
everything else I've tried seems to work.
Any Ideas? Anybody know if this is supposed to work?
Should I stick with AuthPG and forget PHP authentication?
BTW I don't have AuthType set in .htaccess or httpd.conf.
Lynn
Getting old isn't hard,
all you got to do is live long enough..or fast enough.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] authentication
Hi Wilbert, what I have done in the past (probably not the best way) is to stick a function call in the top of all pages in that directory which calls a function that checks for a cookie to see that the person viewing has actually logged in. I hope that helps. Abe On Mon, 27 Aug 2001, Wilbert Enserink wrote: Hi all, Can anybody help me with this authentication problem? Clients can log in using a html form on my site. When they log in their username and password are checked in a mysql database. Then they are forwarded to a url, a directory on my site also coming from the db. This directory should not be public of couse, so I did a chmod 744 on the clients directory. Anybody has any ideas? I prefer not to use the standard window popup thing for authentication. I checked the php manual, but there is not much info on plain html forms on the subject, or maybe it is my English...:-) Regards, Wilbert - Pas de Deux Van Mierisstraat 25 2526 NM Den Haag tel 070 4450855 fax 070 4450852 http://www.pdd.nl [EMAIL PROTECTED] - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Authentication
Ideally I could just have php do the info gathering and send the input,
user and pass, to apache for authenticating them. But I really don't
know what is best. If I set up an index file to ask for a password that
still does not secure (or at least ask for a password) anything else in
the directory. But it looks like mod_auth does do that, if only I could
use php as a gatherer for mod_auth. Can anyone suggest how to do this
or maybe a better way. Do I need php authentication in every file on
the site?
Please help.
-Dave Baldwin
-Original Message-
From: David Baldwin
Sent: Tuesday, July 10, 2001 2:36 PM
To: Jack Dempsey; [EMAIL PROTECTED]
Subject: RE: [PHP] Authentication
I am using htpasswd files for the passwords but I took all the
htaccess or mod_auth directives out of httpsd.conf. I guess I could
learn mysql (yeay, maybe later), and infact, that looks like a real good
idea, but I think the double prompting is due to the fact that I have
the following in the beginning of the index.php file that the login.php
script redirects to:
?php
session_start();
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
|| ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'pass' ) ) {
Header( 'HTTP/1.0 401 Unauthorized' );
Header( 'WWW-Authenticate: Basic Realm=Users info' );
echo 'Authorization Required.';
exit;
} else {
echo 'You are in users page.';
phpinfo();
}
?
This works with a windows browser but not with UNIX/Netscape. It seems
that for some reason the session is not carrying over with
session_register and session_start from the login.php script, but only
with the UNIX/Netscape browser. The login.php script looks like this;
?php
session_register(PHP_AUTH_USER);
session_register(PHP_AUTH_PW);
$auth = false;
if (isset ( $PHP_AUTH_USER ) isset ($PHP_AUTH_PW)) {
$filename = '/usr/local/apache/conf/htpasswd';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
$lines = explode ( \n, $file_contents );
foreach ( $lines as $line ) {
list ( $username, $password ) = explode( ':', $line );
if ( $username == $PHP_AUTH_USER ) {
$salt = substr( $password , 0 , 2 );
$enc_pw = crypt( $PHP_AUTH_PW, $salt );
if ( $password == $enc_pw ) {
$auth = true;
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=User Area' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( Location: https://192.168.124.219/users/$user/; );
}
?
I just want the login.php to setup the PHP_AUTH_USER and PHP_AUTH_PW and
then the index.php to read those values, compare them to static
requirements and depending on the values set up in login.php to either
allow or deny.
Any suggestions are appreciated.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Authentication
You should look into sessions...checkout www.phpbuilder.com and other places throughout the net for tutorials...always use www.php.net as well...has everything you need... jack -Original Message- From: David Baldwin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 11:41 AM To: [EMAIL PROTECTED] Subject: [PHP] Authentication hi I am trying to secure a web site and I can get one page at a time to ask for authentication but thats it. Right now every page visited asks for a password, otherwise there is no auth on them at all. So I am wondering how to make $PHP_AUTH_USER and $PHP_AUTH_PW global so that isset $PHP_AUTH_USER = valid user carries over the valid user to all pages visited until a logout button is pushed. Also I can't seem to find info on how to set up apache to require passwords for directories and not just files using php without asking for the password twice. Please help, I have looked everywhere. Thanks in advance -Dave Baldwin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Authentication
Well, I am using htpasswd files for the passwords but I took all the
htaccess or mod_auth directives out of httpsd.conf. I guess I could
learn mysql (yeay), and infact, that looks like a real good idea, but
the double prompting is due to the fact (I think) that I have the
following in the beginning of the index.php file:
?php
session_start();
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))
|| ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'pass' ) ) {
Header( 'HTTP/1.0 401 Unauthorized' );
Header( 'WWW-Authenticate: Basic Realm=Users info' );
echo 'Authorization Required.';
exit;
} else {
echo 'You are in users page.';
phpinfo();
}
?
It seems that for some reason the session is not carrying over with
session_register and session_start from the login.php script, which
looks like this;
?php
session_register(PHP_AUTH_USER);
session_register(PHP_AUTH_PW);
$auth = false;
if (isset ( $PHP_AUTH_USER ) isset ($PHP_AUTH_PW)) {
$filename = '/usr/local/apache/conf/htpasswd';
$fp = fopen( $filename, 'r' );
$file_contents = fread( $fp, filesize( $filename ) );
fclose( $fp );
$lines = explode ( \n, $file_contents );
foreach ( $lines as $line ) {
list ( $username, $password ) = explode( ':', $line );
if ( $username == $PHP_AUTH_USER ) {
$salt = substr( $password , 0 , 2 );
$enc_pw = crypt( $pw, $salt );
if ( $password == $enc_pw ) {
$auth = true;
break;
}
}
}
}
if ( ! $auth ) {
header( 'WWW-Authenticate: Basic realm=User Area' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
} else {
header( Location: https://192.168.124.219/users/$user/; );
}
?
I just want the login.php to setup the PHP_AUTH_USER and PW and then the
index.php to read those values, compare them to static requirements and
depending on the valuse set up in login.php to either allow or deny.
Any suggestions are appreciated.
I know websites are secured everyday and you can't get to a page unless
you are logged in and if you try it askes for credentials but how is
that done? It seems so ordinary but real hard to find out how.
Thanks again
-Dave Baldwin
-Original Message-
From: Jack Dempsey
Sent: Tue 7/10/2001 11:40 AM
To: David Baldwin
Cc:
Subject:RE: [PHP] Authentication
Don't even use those variables, and make sure to call session_start()
before anything else...use something of your own like $user and $pass
and query your db with those values...it sounds like your using htaccess
still because of the double prompting...i'd leave that alone and go
straight for sessions and mysql
jack
-Original Message-
From: David Baldwin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 2:20 PM
To: Jack Dempsey
Subject: RE: [PHP] Authentication
Hey,
I am closer now but there is this one problem. I put
session_register(PHP_AUTH_USER); and session_register(PHP_AUTH_PW);
in the login.php file and session_start(); in the index.php that the
client is redirected to, it works in MSIE but not on UNIX/Netscape
clients. It still asks for the password twice with netscape.
Any suggestions?
Thanks again
-Dave Baldwin
-Original Message-
From: Jack Dempsey
Sent: Tue 7/10/2001 9:14 AM
To: David Baldwin
Cc:
Subject:RE: [PHP] Authentication
Hey dave,
May not find exactly what you want, but that's half the fun...best
thing, practice sessions...start with simple variables, one to a page,
get good with them...then, just add some calls to mysql, checking of the
session data at each page, and your authentication scheme gets built...
Good luck
jack
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authentication
I can tell you that I also read that authentication won't work while PHP is installed as CGI. Brave Cobra [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I know it doesn't have a lot to do with PHP, and then again... I'm trying to get PHP authentication to work on an IIS 5.0 server. The thing is, the server is not sending my desired headers. The script, I'm using, works perfectly. I've tested that, on an Apache server online. Works brilliantly. ;) What do I need to do to get it working, apart from adding the entry for the ISAPI filters, using the php4isapi.dll? Do I need a registry entry somewhere? I've read about that somewhere. Can it work when using the php.exe(or CGI-version)?(using the ISAPI dll version is not working either, although I've read the install file over and over again...) I can get PHP to work, using the cgi(or exe) version of PHP, although I don't think, I can get PHP authentication to work this way. Correct me if I'm wrong here. In other words, how do I configure my IIS to get PHP working with PHP authentication? tnx Brave Cobra -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authentication
If you run PHP as a CGI, or as an ISAPI module *without* installing the ISAPI filter, then IIS will have already dealt with everything to do with headers before PHP gets a look in. Installing PHP in the ISAPI filters list allows it to get at the headers and do authentication, however you may have serious problems with the stability of the ISAPI module version of PHP. Cheers -- Phil Driscoll -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Authentication
Tnx, I've been trying out some stuff last night and found out some interesting facts! the ISAPI dll is full of access violations. Being a Delphi programmer, I know that ain't good. Stable is indeed the word. Sometimes IIS could find a page, most of the time not. And I got the header to show :) However the authentication part (in my script) was never triggered, due to the fact that IIS couldn't find the page anymore, if the ISAPI dll was used. Though luck! So, people, when using PHP authentication, please use a Linux box!!! The windows version doesn't really work (at all). Brave Cobra - Original Message - From: Phil Driscoll [EMAIL PROTECTED] To: Brave Cobra [EMAIL PROTECTED]; Php-General [EMAIL PROTECTED] Sent: Tuesday, June 26, 2001 9:52 AM Subject: Re: [PHP] Authentication If you run PHP as a CGI, or as an ISAPI module *without* installing the ISAPI filter, then IIS will have already dealt with everything to do with headers before PHP gets a look in. Installing PHP in the ISAPI filters list allows it to get at the headers and do authentication, however you may have serious problems with the stability of the ISAPI module version of PHP. Cheers -- Phil Driscoll -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
