chicken or egg question here...
assuming the directory requires authentication a la .htaccess or httpd.conf
allow/deny
does this methos encapsulate the authentication in the SSL or does this only
eget applied after authenticating and reading the file to get the header
portion.
Example, current setup is to access the secure page via https://mypage
this means the SSL layer is already in place when apache prompts for
user/password, thus transmitting the user/pw pair securely to the server.
without the SSL layer in place, your user/pw pair is essentially being snt open
text for anyone to parse. If the header information contained in the if
statement isn't parsed untill after the uid/pw pair is already sent.
I would suspect that since PHP parses the file prior to delivering it to the
user, that the lack of SSL is detected and the resulting login session is
encapsulated in the SSL layer.
Can anyone verify this?
Dave
>if(getenv("HTTPS")!="on")
>{
>header ("Location: https://logon_screen";);
>}
>
>every page has an include that checks $HTTPS as part of the sessions and
>validation. If https!="on" then it kicks you back to the logon screen.
>
>you could do the same using
>
>if(getenv("HTTPS")!="on")
>{
>header ("Location: https://$SERVER_NAME/$PHP_SELF";);
>}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
