[PHP] Basic Auth
I"m using basic auth for a few of my pages that I want to limit access to - nothing of a sensitive nature, but simply want to limit access to. Want to implement a signoff process, but can't figure it out. From the comments in the manual I take it one can't do this by simply unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why this doesn't suffice? The signon process expects them to be there, so when they are not (after the 'unset'), how come my signon process still detects them and their values? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 14:37, Jim Giner wrote: > I"m using basic auth for a few of my pages that I want to limit access to - > nothing of a sensitive nature, but simply want to limit access to. Want to > implement a signoff process, but can't figure it out. > > From the comments in the manual I take it one can't do this by simply > unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why this > doesn't suffice? The signon process expects them to be there, so when they > are not (after the 'unset'), how come my signon process still detects them > and their values? The global variables you're referring to are just that, global variables; changing them will have no effect on the browser. Basic Auth was not designed to allow users to log out, but you can make it happen with some Javascript. Have your log out link call a Javascript function which sends an XMLHttpRequest with an invalid username and password. The server will return a 401 which you ignore and then take the user to whatever URL you want them to see after they log off. Not pretty, but it works. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 9:46 AM, Stuart Dallas wrote: On 27 Aug 2013, at 14:37, Jim Giner wrote: I"m using basic auth for a few of my pages that I want to limit access to - nothing of a sensitive nature, but simply want to limit access to. Want to implement a signoff process, but can't figure it out. From the comments in the manual I take it one can't do this by simply unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why this doesn't suffice? The signon process expects them to be there, so when they are not (after the 'unset'), how come my signon process still detects them and their values? The global variables you're referring to are just that, global variables; changing them will have no effect on the browser. Basic Auth was not designed to allow users to log out, but you can make it happen with some Javascript. Have your log out link call a Javascript function which sends an XMLHttpRequest with an invalid username and password. The server will return a 401 which you ignore and then take the user to whatever URL you want them to see after they log off. Not pretty, but it works. -Stuart Thanks for the timely response! Before I try your suggestion - one question. Since when is a global variable not changeable? Doesn't the fact that it reflects a modified value when I do change it tell me it worked? I change the value to 'xxx' and show it having that value, but when the script is called again the old value appears. Very confusing! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 15:06, Jim Giner wrote: > > On 8/27/2013 9:46 AM, Stuart Dallas wrote: >> On 27 Aug 2013, at 14:37, Jim Giner wrote: >> >>> I"m using basic auth for a few of my pages that I want to limit access to - >>> nothing of a sensitive nature, but simply want to limit access to. Want to >>> implement a signoff process, but can't figure it out. >>> >>> From the comments in the manual I take it one can't do this by simply >>> unsetting the PHP_AUTH_USER and _PW vars. Can someone explain to me why >>> this doesn't suffice? The signon process expects them to be there, so when >>> they are not (after the 'unset'), how come my signon process still detects >>> them and their values? >> >> The global variables you're referring to are just that, global variables; >> changing them will have no effect on the browser. Basic Auth was not >> designed to allow users to log out, but you can make it happen with some >> Javascript. >> >> Have your log out link call a Javascript function which sends an >> XMLHttpRequest with an invalid username and password. The server will return >> a 401 which you ignore and then take the user to whatever URL you want them >> to see after they log off. Not pretty, but it works. >> >> -Stuart >> > Thanks for the timely response! > > Before I try your suggestion - one question. Since when is a global variable > not changeable? Doesn't the fact that it reflects a modified value when I do > change it tell me it worked? I change the value to 'xxx' and show it having > that value, but when the script is called again the old value appears. Very > confusing! I didn't say you couldn't change it, I said doing so will have no effect on the browser. It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart [1] The one exception to this is $_SESSION, but it's important to know how that works. The $_SESSION array is populated when you call session_start(). It's loaded from some form of storage (files by default) and unserialised in to $_SESSION. When the session is closed, either implicitly by the request ending or by a call to one of the methods that explicitly do it, the contents are serialised to the storage system. Once closed, any changes to $_SESSION will not be stored; it becomes just another superglobal (not that it was ever anything else). -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 10:14 AM, Stuart Dallas wrote: It's not really confusing so long as you understand how PHP works. Each request is brand new - nothing is retained from previous requests. The two variable you're changing are set by PHP when the request comes in from the browser. The fact you changed them in a previous request is irrelevant because 1) that change was not communicated to the browser in any way, and 2) PHP doesn't retain any data between requests [1]. If you've been coding assuming that changes you make to global variables are retained between requests you must have been having some pretty frustrating times! -Stuart Not really - this is the first time I've had something not work as expected. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 15:18, Jim Giner wrote: > On 8/27/2013 10:14 AM, Stuart Dallas wrote: >> It's not really confusing so long as you understand how PHP works. Each >> request is brand new - nothing is retained from previous requests. The two >> variable you're changing are set by PHP when the request comes in from the >> browser. The fact you changed them in a previous request is irrelevant >> because 1) that change was not communicated to the browser in any way, and >> 2) PHP doesn't retain any data between requests [1]. >> >> If you've been coding assuming that changes you make to global variables are >> retained between requests you must have been having some pretty frustrating >> times! >> >> -Stuart >> > > Not really - this is the first time I've had something not work as expected. That was said with my tongue very much firmly in my cheek, and so is this: I've been playing with dynamite since I was 4 - hey, it must be a safe, proper thing to do! Just because nothing has blown up in your face yet doesn't mean it won't, and I'm concerned that you might not actually see how important it is to make sure you're using the tool correctly. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 10:39 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:18, Jim Giner wrote:
On 8/27/2013 10:14 AM, Stuart Dallas wrote:
It's not really confusing so long as you understand how PHP works. Each request
is brand new - nothing is retained from previous requests. The two variable
you're changing are set by PHP when the request comes in from the browser. The
fact you changed them in a previous request is irrelevant because 1) that
change was not communicated to the browser in any way, and 2) PHP doesn't
retain any data between requests [1].
If you've been coding assuming that changes you make to global variables are
retained between requests you must have been having some pretty frustrating
times!
-Stuart
Not really - this is the first time I've had something not work as expected.
That was said with my tongue very much firmly in my cheek, and so is this:
I've been playing with dynamite since I was 4 - hey, it must be a safe,
proper thing to do!
Just because nothing has blown up in your face yet doesn't mean it won't, and
I'm concerned that you might not actually see how important it is to make sure
you're using the tool correctly.
-Stuart
This may very well be the first time with this problem because I haven't
tried anything like this before.
That said - can you give me some pointers on how to do the JS solution?
I'm calling a script that is similar to the one I used to signon. It
sends out something like:
header("WWW-Authenticate: Basic realm=$realm");
header('HTTP/1.0 401 Unauthorized');
echo "You have entered invalid credentials";
echo "Click here to return to the
menu.";
exit();
when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
So - to effect a signoff, what does one do? You said to use an invalid
value, but what do I do with that? How do I ignore the 401? Now I'm
getting the signin dialog and I'm stuck.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 15:51, Jim Giner wrote:
> On 8/27/2013 10:39 AM, Stuart Dallas wrote:
>> On 27 Aug 2013, at 15:18, Jim Giner wrote:
>>
>>> On 8/27/2013 10:14 AM, Stuart Dallas wrote:
It's not really confusing so long as you understand how PHP works. Each
request is brand new - nothing is retained from previous requests. The two
variable you're changing are set by PHP when the request comes in from the
browser. The fact you changed them in a previous request is irrelevant
because 1) that change was not communicated to the browser in any way, and
2) PHP doesn't retain any data between requests [1].
If you've been coding assuming that changes you make to global variables
are retained between requests you must have been having some pretty
frustrating times!
-Stuart
>>> Not really - this is the first time I've had something not work as expected.
>> That was said with my tongue very much firmly in my cheek, and so is this:
>>
>> I've been playing with dynamite since I was 4 - hey, it must be a safe,
>> proper thing to do!
>>
>> Just because nothing has blown up in your face yet doesn't mean it won't,
>> and I'm concerned that you might not actually see how important it is to
>> make sure you're using the tool correctly.
>>
>> -Stuart
>>
> This may very well be the first time with this problem because I haven't
> tried anything like this before.
>
> That said - can you give me some pointers on how to do the JS solution? I'm
> calling a script that is similar to the one I used to signon. It sends out
> something like:
>
>header("WWW-Authenticate: Basic realm=$realm");
>header('HTTP/1.0 401 Unauthorized');
>echo "You have entered invalid credentials";
>echo "Click here to return to the menu.";
>exit();
>
> when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
>
> So - to effect a signoff, what does one do? You said to use an invalid
> value, but what do I do with that? How do I ignore the 401? Now I'm
> getting the signin dialog and I'm stuck.
You don't need to do anything on the server-side. You simply need a JS function
that sends a request to a URL that requires basic auth, with an Authenticate
header that contains an invalid username and password. Then, when your server
responds with a 401 Authentication required (which it should already do for an
invalid request) you can set location.href to whatever URL you want the logged
out user to see.
If you don't know how to make a request from Javascript -- commonly known as an
AJAX request -- then google for it. I'd recommend the jquery library if you
want a very easy way to do it.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 8/27/2013 10:55 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:51, Jim Giner wrote:
On 8/27/2013 10:39 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:18, Jim Giner wrote:
On 8/27/2013 10:14 AM, Stuart Dallas wrote:
It's not really confusing so long as you understand how PHP works. Each request
is brand new - nothing is retained from previous requests. The two variable
you're changing are set by PHP when the request comes in from the browser. The
fact you changed them in a previous request is irrelevant because 1) that
change was not communicated to the browser in any way, and 2) PHP doesn't
retain any data between requests [1].
If you've been coding assuming that changes you make to global variables are
retained between requests you must have been having some pretty frustrating
times!
-Stuart
Not really - this is the first time I've had something not work as expected.
That was said with my tongue very much firmly in my cheek, and so is this:
I've been playing with dynamite since I was 4 - hey, it must be a safe,
proper thing to do!
Just because nothing has blown up in your face yet doesn't mean it won't, and
I'm concerned that you might not actually see how important it is to make sure
you're using the tool correctly.
-Stuart
This may very well be the first time with this problem because I haven't tried
anything like this before.
That said - can you give me some pointers on how to do the JS solution? I'm
calling a script that is similar to the one I used to signon. It sends out
something like:
header("WWW-Authenticate: Basic realm=$realm");
header('HTTP/1.0 401 Unauthorized');
echo "You have entered invalid credentials";
echo "Click here to return to the menu.";
exit();
when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
So - to effect a signoff, what does one do? You said to use an invalid value,
but what do I do with that? How do I ignore the 401? Now I'm getting the
signin dialog and I'm stuck.
You don't need to do anything on the server-side. You simply need a JS function
that sends a request to a URL that requires basic auth, with an Authenticate
header that contains an invalid username and password. Then, when your server
responds with a 401 Authentication required (which it should already do for an
invalid request) you can set location.href to whatever URL you want the logged
out user to see.
If you don't know how to make a request from Javascript -- commonly known as an
AJAX request -- then google for it. I'd recommend the jquery library if you
want a very easy way to do it.
-Stuart
I am familiar with an ajax request (xmlhttprequest) and I have a
function ready to call a script to effect this signoff. I just don't
know what to put in that php script I'm calling. From what you just
wrote I'm guessing that my headers as shown previously may be close -
I"m confused about your mention of "contains an invalid username...".
As you can see from my sample I don't include such a thing.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Fwd: [PHP] Basic Auth
Oops, sent this message from the wrong email address, so the list rejected it.
Begin forwarded message:
> From: Stuart Dallas
> Subject: Re: [PHP] Basic Auth
> Date: 27 August 2013 16:36:27 BST
> To: jim.gi...@albanyhandball.com
> Cc: php-general@lists.php.net
>
> On 27 Aug 2013, at 15:59, Jim Giner wrote:
>
>> On 8/27/2013 10:55 AM, Stuart Dallas wrote:
>>> On 27 Aug 2013, at 15:51, Jim Giner wrote:
>>>
>>>> On 8/27/2013 10:39 AM, Stuart Dallas wrote:
>>>>> On 27 Aug 2013, at 15:18, Jim Giner wrote:
>>>>>
>>>>>> On 8/27/2013 10:14 AM, Stuart Dallas wrote:
>>>>>>> It's not really confusing so long as you understand how PHP works. Each
>>>>>>> request is brand new - nothing is retained from previous requests. The
>>>>>>> two variable you're changing are set by PHP when the request comes in
>>>>>>> from the browser. The fact you changed them in a previous request is
>>>>>>> irrelevant because 1) that change was not communicated to the browser
>>>>>>> in any way, and 2) PHP doesn't retain any data between requests [1].
>>>>>>>
>>>>>>> If you've been coding assuming that changes you make to global
>>>>>>> variables are retained between requests you must have been having some
>>>>>>> pretty frustrating times!
>>>>>>>
>>>>>>> -Stuart
>>>>>>>
>>>>>> Not really - this is the first time I've had something not work as
>>>>>> expected.
>>>>> That was said with my tongue very much firmly in my cheek, and so is this:
>>>>>
>>>>> I've been playing with dynamite since I was 4 - hey, it must be a safe,
>>>>> proper thing to do!
>>>>>
>>>>> Just because nothing has blown up in your face yet doesn't mean it won't,
>>>>> and I'm concerned that you might not actually see how important it is to
>>>>> make sure you're using the tool correctly.
>>>>>
>>>>> -Stuart
>>>>>
>>>> This may very well be the first time with this problem because I haven't
>>>> tried anything like this before.
>>>>
>>>> That said - can you give me some pointers on how to do the JS solution?
>>>> I'm calling a script that is similar to the one I used to signon. It
>>>> sends out something like:
>>>>
>>>> header("WWW-Authenticate: Basic realm=$realm");
>>>> header('HTTP/1.0 401 Unauthorized');
>>>> echo "You have entered invalid credentials";
>>>> echo "Click here to return to the menu.";
>>>> exit();
>>>>
>>>> when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
>>>>
>>>> So - to effect a signoff, what does one do? You said to use an invalid
>>>> value, but what do I do with that? How do I ignore the 401? Now I'm
>>>> getting the signin dialog and I'm stuck.
>>> You don't need to do anything on the server-side. You simply need a JS
>>> function that sends a request to a URL that requires basic auth, with an
>>> Authenticate header that contains an invalid username and password. Then,
>>> when your server responds with a 401 Authentication required (which it
>>> should already do for an invalid request) you can set location.href to
>>> whatever URL you want the logged out user to see.
>>>
>>> If you don't know how to make a request from Javascript -- commonly known
>>> as an AJAX request -- then google for it. I'd recommend the jquery library
>>> if you want a very easy way to do it.
>>>
>>> -Stuart
>>>
>> I am familiar with an ajax request (xmlhttprequest) and I have a function
>> ready to call a script to effect this signoff. I just don't know what to
>> put in that php script I'm calling. From what you just wrote I'm guessing
>> that my headers as shown previously may be close - I"m confused about your
>> mention of "contains an invalid username...". As you can see from my sample
>> I don't include such a thing.
>
> For the last time: YOU DO NOT NEED TO MAKE ANY CHANGES SERVER-SIDE.
>
> From the Javascript, request any URL that requires authentication - it
> doesn't matter. When you make the AJAX request, pass an Authentication header
> that contains an invalid username and password. If you don't know what I mean
> by that, please google how HTTP Basic Auth works.
>
> -Stuart
>
> --
> Stuart Dallas
> 3ft9 Ltd
> http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 17:28, Jim Giner wrote:
> On 8/27/2013 11:56 AM, Stuart Dallas wrote:
>> Oops, sent this message from the wrong email address, so the list rejected
>> it.
>>
>> Begin forwarded message:
>>
>>> From: Stuart Dallas
>>> Subject: Re: [PHP] Basic Auth
>>> Date: 27 August 2013 16:36:27 BST
>>> To: jim.gi...@albanyhandball.com
>>> Cc: php-general@lists.php.net
>>>
>>> On 27 Aug 2013, at 15:59, Jim Giner wrote:
>>>
>>>> On 8/27/2013 10:55 AM, Stuart Dallas wrote:
>>>>> On 27 Aug 2013, at 15:51, Jim Giner wrote:
>>>>>
>>>>>> On 8/27/2013 10:39 AM, Stuart Dallas wrote:
>>>>>>> On 27 Aug 2013, at 15:18, Jim Giner
>>>>>>> wrote:
>>>>>>>
>>>>>>>> On 8/27/2013 10:14 AM, Stuart Dallas wrote:
>>>>>>>>> It's not really confusing so long as you understand how PHP works.
>>>>>>>>> Each request is brand new - nothing is retained from previous
>>>>>>>>> requests. The two variable you're changing are set by PHP when the
>>>>>>>>> request comes in from the browser. The fact you changed them in a
>>>>>>>>> previous request is irrelevant because 1) that change was not
>>>>>>>>> communicated to the browser in any way, and 2) PHP doesn't retain any
>>>>>>>>> data between requests [1].
>>>>>>>>>
>>>>>>>>> If you've been coding assuming that changes you make to global
>>>>>>>>> variables are retained between requests you must have been having
>>>>>>>>> some pretty frustrating times!
>>>>>>>>>
>>>>>>>>> -Stuart
>>>>>>>>>
>>>>>>>> Not really - this is the first time I've had something not work as
>>>>>>>> expected.
>>>>>>> That was said with my tongue very much firmly in my cheek, and so is
>>>>>>> this:
>>>>>>>
>>>>>>> I've been playing with dynamite since I was 4 - hey, it must be a
>>>>>>> safe, proper thing to do!
>>>>>>>
>>>>>>> Just because nothing has blown up in your face yet doesn't mean it
>>>>>>> won't, and I'm concerned that you might not actually see how important
>>>>>>> it is to make sure you're using the tool correctly.
>>>>>>>
>>>>>>> -Stuart
>>>>>>>
>>>>>> This may very well be the first time with this problem because I haven't
>>>>>> tried anything like this before.
>>>>>>
>>>>>> That said - can you give me some pointers on how to do the JS solution?
>>>>>> I'm calling a script that is similar to the one I used to signon. It
>>>>>> sends out something like:
>>>>>>
>>>>>> header("WWW-Authenticate: Basic realm=$realm");
>>>>>> header('HTTP/1.0 401 Unauthorized');
>>>>>> echo "You have entered invalid credentials";
>>>>>> echo "Click here to return to the
>>>>>> menu.";
>>>>>> exit();
>>>>>>
>>>>>> when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
>>>>>>
>>>>>> So - to effect a signoff, what does one do? You said to use an invalid
>>>>>> value, but what do I do with that? How do I ignore the 401? Now I'm
>>>>>> getting the signin dialog and I'm stuck.
>>>>> You don't need to do anything on the server-side. You simply need a JS
>>>>> function that sends a request to a URL that requires basic auth, with an
>>>>> Authenticate header that contains an invalid username and password. Then,
>>>>> when your server responds with a 401 Authentication required (which it
>>>>> should already do for an invalid request) you can set location.href to
>>>>> whatever URL you want the logged out user to see.
>>>>>
>>>>> If you don't know how to make a request from Javascript -- commonly known
>>>>> as an AJAX
Re: [PHP] Basic Auth
On 8/27/2013 12:53 PM, Stuart Dallas wrote:
On 27 Aug 2013, at 17:28, Jim Giner wrote:
On 8/27/2013 11:56 AM, Stuart Dallas wrote:
Oops, sent this message from the wrong email address, so the list rejected it.
Begin forwarded message:
From: Stuart Dallas
Subject: Re: [PHP] Basic Auth
Date: 27 August 2013 16:36:27 BST
To: jim.gi...@albanyhandball.com
Cc: php-general@lists.php.net
On 27 Aug 2013, at 15:59, Jim Giner wrote:
On 8/27/2013 10:55 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:51, Jim Giner wrote:
On 8/27/2013 10:39 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:18, Jim Giner wrote:
On 8/27/2013 10:14 AM, Stuart Dallas wrote:
It's not really confusing so long as you understand how PHP works. Each request
is brand new - nothing is retained from previous requests. The two variable
you're changing are set by PHP when the request comes in from the browser. The
fact you changed them in a previous request is irrelevant because 1) that
change was not communicated to the browser in any way, and 2) PHP doesn't
retain any data between requests [1].
If you've been coding assuming that changes you make to global variables are
retained between requests you must have been having some pretty frustrating
times!
-Stuart
Not really - this is the first time I've had something not work as expected.
That was said with my tongue very much firmly in my cheek, and so is this:
I've been playing with dynamite since I was 4 - hey, it must be a safe,
proper thing to do!
Just because nothing has blown up in your face yet doesn't mean it won't, and
I'm concerned that you might not actually see how important it is to make sure
you're using the tool correctly.
-Stuart
This may very well be the first time with this problem because I haven't tried
anything like this before.
That said - can you give me some pointers on how to do the JS solution? I'm
calling a script that is similar to the one I used to signon. It sends out
something like:
header("WWW-Authenticate: Basic realm=$realm");
header('HTTP/1.0 401 Unauthorized');
echo "You have entered invalid credentials";
echo "Click here to return to the menu.";
exit();
when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
So - to effect a signoff, what does one do? You said to use an invalid value,
but what do I do with that? How do I ignore the 401? Now I'm getting the
signin dialog and I'm stuck.
You don't need to do anything on the server-side. You simply need a JS function
that sends a request to a URL that requires basic auth, with an Authenticate
header that contains an invalid username and password. Then, when your server
responds with a 401 Authentication required (which it should already do for an
invalid request) you can set location.href to whatever URL you want the logged
out user to see.
If you don't know how to make a request from Javascript -- commonly known as an
AJAX request -- then google for it. I'd recommend the jquery library if you
want a very easy way to do it.
-Stuart
I am familiar with an ajax request (xmlhttprequest) and I have a function ready to call a
script to effect this signoff. I just don't know what to put in that php script I'm calling.
From what you just wrote I'm guessing that my headers as shown previously may be close -
I"m confused about your mention of "contains an invalid username...". As you
can see from my sample I don't include such a thing.
For the last time: YOU DO NOT NEED TO MAKE ANY CHANGES SERVER-SIDE.
From the Javascript, request any URL that requires authentication - it doesn't
matter. When you make the AJAX request, pass an Authentication header that
contains an invalid username and password. If you don't know what I mean by
that, please google how HTTP Basic Auth works.
-Stuart
It's not the basic auth that I'm having the issue with - it's the 'header'
thing and understanding what a 401 is doing and how I'm to ignore it. Never
had to play with these things before and this part is all new. Let's face it -
I'm an applications guy, not a systems guy. All this talk of headers and such
is greek to me.
HTTP headers are as important for application guys as they are for systems
guys. I appreciate that this may be new to you, but it's pretty basic knowledge
about how HTTP works.
Basic auth is simple, and you need to understand how it works to understand
what I've been trying to say. Here's how HTTP auth works:
1) Browser hits page.
2) The PHP script knows this page requires HTTP Auth, checks the
PHP_AUTH_[USER|PW] variables but doesn't find anything, so it responds with an
HTTP status of 401 Unauthorised.
3) The browser gets the 401 response and displa
Re: [PHP] Basic Auth
Stuart, Just wanted to follow up with my thanks for your excellent help in providing understanding of how to generate the 401 error page and getting me thru the process of performing a sign-out from basic auth. Without your patience it never would have happened. Also wanted to tell you that I've scrapped it all. Keeping the code for a rainy day of course, but giving up on using it (as well as the basic auth signon process) to use my own 'roll-your-own' code. Since IE insisted on presenting multiple credentials during the signon process it was a futile effort to be doing a signoff. And yes - I've taken the proper precautions to hash the incoming password value before submission and storing in my db that way. Thanks again. It's help like this that makes this group such a great resource. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth
On 27 Aug 2013, at 18:45, Jim Giner wrote: > From your latest missive I gleaned that I needed to have a script on my server One last time: YOU DON'T NEED TO CHANGE ANYTHING ON THE SERVER-SIDE! Ok, I see that you've decided to use another method, which is great; HTTP auth is a pretty antiquated way to handle authentication these days. Whatever you're using, I wish you all the best with it. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
[PHP] Basic Auth question
I have a issue with basic auth which I hope someone here can throw some light on. 1) I have already got my SESSION auth working well 2) Once someone logs in I need to send some basic auth info to a dir on another server to let my logged in user to view it. This is where I am stuck :-( I think one answer is http://username:[EMAIL PROTECTED]://www.domain.name/dir); } ?> Is that anyway close or have I got it the wrong way around? Any help is appreciated. Dave C --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.493 / Virus Database: 292 - Release Date: 25/06/2003 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] basic auth question
Please CC me, I am on digest -- If I have a directory like: $HOME/www/ (document root) It has a auth section in the .htaccess file $HOME/www/.htaccess another directory like: $HOME/www/want_to_be_public/ How can I defeat the auth section in the $HOME/www/.htaccess file by commands in the: $HOME/www/want_to_be_public/.htaccess file? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] basic auth question
Please CC me, I am on digest -- If I have a directory like: $HOME/www/ (document root) It has a auth section in the .htaccess file $HOME/www/.htaccess another directory like: $HOME/www/want_to_be_public/ How can I defeat the auth section in the $HOME/www/.htaccess file by commands in the: $HOME/www/want_to_be_public/.htaccess file? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] basic auth question
Please CC me, I am on digest -- If I have a directory like: $HOME/www/ (document root) It has a auth section in the .htaccess file $HOME/www/.htaccess another directory like: $HOME/www/want_to_be_public/ How can I defeat the auth section in the $HOME/www/.htaccess file by commands in the: $HOME/www/want_to_be_public/.htaccess file? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Basic Auth
On 8/27/2013 11:56 AM, Stuart Dallas wrote:
Oops, sent this message from the wrong email address, so the list rejected it.
Begin forwarded message:
From: Stuart Dallas
Subject: Re: [PHP] Basic Auth
Date: 27 August 2013 16:36:27 BST
To: jim.gi...@albanyhandball.com
Cc: php-general@lists.php.net
On 27 Aug 2013, at 15:59, Jim Giner wrote:
On 8/27/2013 10:55 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:51, Jim Giner wrote:
On 8/27/2013 10:39 AM, Stuart Dallas wrote:
On 27 Aug 2013, at 15:18, Jim Giner wrote:
On 8/27/2013 10:14 AM, Stuart Dallas wrote:
It's not really confusing so long as you understand how PHP works. Each request
is brand new - nothing is retained from previous requests. The two variable
you're changing are set by PHP when the request comes in from the browser. The
fact you changed them in a previous request is irrelevant because 1) that
change was not communicated to the browser in any way, and 2) PHP doesn't
retain any data between requests [1].
If you've been coding assuming that changes you make to global variables are
retained between requests you must have been having some pretty frustrating
times!
-Stuart
Not really - this is the first time I've had something not work as expected.
That was said with my tongue very much firmly in my cheek, and so is this:
I've been playing with dynamite since I was 4 - hey, it must be a safe,
proper thing to do!
Just because nothing has blown up in your face yet doesn't mean it won't, and
I'm concerned that you might not actually see how important it is to make sure
you're using the tool correctly.
-Stuart
This may very well be the first time with this problem because I haven't tried
anything like this before.
That said - can you give me some pointers on how to do the JS solution? I'm
calling a script that is similar to the one I used to signon. It sends out
something like:
header("WWW-Authenticate: Basic realm=$realm");
header('HTTP/1.0 401 Unauthorized');
echo "You have entered invalid credentials";
echo "Click here to return to the menu.";
exit();
when it doesn't detect the PHP_AUTH_USER or it is an invalid value.
So - to effect a signoff, what does one do? You said to use an invalid value,
but what do I do with that? How do I ignore the 401? Now I'm getting the
signin dialog and I'm stuck.
You don't need to do anything on the server-side. You simply need a JS function
that sends a request to a URL that requires basic auth, with an Authenticate
header that contains an invalid username and password. Then, when your server
responds with a 401 Authentication required (which it should already do for an
invalid request) you can set location.href to whatever URL you want the logged
out user to see.
If you don't know how to make a request from Javascript -- commonly known as an
AJAX request -- then google for it. I'd recommend the jquery library if you
want a very easy way to do it.
-Stuart
I am familiar with an ajax request (xmlhttprequest) and I have a function ready to call a
script to effect this signoff. I just don't know what to put in that php script I'm calling.
From what you just wrote I'm guessing that my headers as shown previously may be close -
I"m confused about your mention of "contains an invalid username...". As you
can see from my sample I don't include such a thing.
For the last time: YOU DO NOT NEED TO MAKE ANY CHANGES SERVER-SIDE.
From the Javascript, request any URL that requires authentication - it doesn't
matter. When you make the AJAX request, pass an Authentication header that
contains an invalid username and password. If you don't know what I mean by
that, please google how HTTP Basic Auth works.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
It's not the basic auth that I'm having the issue with - it's the
'header' thing and understanding what a 401 is doing and how I'm to
ignore it. Never had to play with these things before and this part is
all new. Let's face it - I'm an applications guy, not a systems guy.
All this talk of headers and such is greek to me.
I have spent the last hour googling away on this topic - still no
understanding.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Basic Auth question
That is one way to try it but I haven't been able to get it to work.
Questions about PHP variable authentication through .htaccess protected
directories has been brought up many times since I've been on this list
but has never been completly answered. Apparently it cannot be done. The
closest thing you can do is create a .htaccess type pop up with PHP but
the username and password still have to be entered via the user which is
what I take to be what you are trying to avoid.
Ed Curtis
On Tue, 1 Jul 2003, Dave Carrera wrote:
> I have a issue with basic auth which I hope someone here can throw some
> light on.
>
> 1) I have already got my SESSION auth working well
>
> 2) Once someone logs in I need to send some basic auth info to a dir on
> another server to let my logged in user to view it. This is where I am stuck
> :-(
>
> I think one answer is
>
> If(isset($_SESSION[userokcode])){
>
> header(Location http://username:[EMAIL PROTECTED]://www.domain.name/dir);
> }
> ?>
>
> Is that anyway close or have I got it the wrong way around?
>
> Any help is appreciated.
>
> Dave C
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.493 / Virus Database: 292 - Release Date: 25/06/2003
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic auth question
[snip] Please CC me, I am on digest -- If I have a directory like: $HOME/www/ (document root) It has a auth section in the .htaccess file $HOME/www/.htaccess another directory like: $HOME/www/want_to_be_public/ How can I defeat the auth section in the $HOME/www/.htaccess file by commands in the: $HOME/www/want_to_be_public/.htaccess file? [/snip] Have you consulted the docs at http://www.apache.org ? That is where you will find the answer to this question. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP - Basic Auth - Cpanel
Hi, A client is selling hosting from his site, and _his_ clients get their own control panel from CPanel, for the sake of understanding I will name my client A and his client(s) B. When B needs to log into his cpanel he basicially goes to his a url like this: http://hisSite.com/cpanel/ then the Basic Auth pop-up screen comes up, he enters his user/pass My client (A) has got a new damn template which has a "username" and "password" field in it, he wants me to make it so that whenever B enters his username and pass he gets logged into cpanel. My questions: How do I know where to send the data? (eg: which is the authenticating file?) Do I pass it as a GET or a POST or what? URL encode? Thanks, -Ryan A -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP - Basic Auth - Cpanel
Hi Ryan, This question would likely be best served at the following sites: http://forums.cpanel.net http://forums.servermatrix.com www.webhostingtalk.com Happy hunting :) HTH Aaron > -Original Message- > From: Ryan A [mailto:[EMAIL PROTECTED] > Sent: April 8, 2004 3:26 PM > To: [EMAIL PROTECTED] > Subject: [PHP] PHP - Basic Auth - Cpanel > > > Hi, > A client is selling hosting from his site, and _his_ clients > get their own control panel from CPanel, for the sake of > understanding I will name my client A and his client(s) B. > > When B needs to log into his cpanel he basicially goes to his > a url like > this: > http://hisSite.com/cpanel/ > then the Basic Auth pop-up screen comes up, he enters his > user/pass > > My client (A) has got a new damn template which has a > "username" and "password" field in it, he wants me to make it > so that whenever B enters his username and pass he gets > logged into cpanel. > > My questions: > How do I know where to send the data? (eg: which is the authenticating > file?) > Do I pass it as a GET or a POST or what? URL encode? > > Thanks, > -Ryan A > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP - Basic Auth - Cpanel
Ryan A wrote: Hi, A client is selling hosting from his site, and _his_ clients get their own control panel from CPanel, for the sake of understanding I will name my client A and his client(s) B. When B needs to log into his cpanel he basicially goes to his a url like this: http://hisSite.com/cpanel/ then the Basic Auth pop-up screen comes up, he enters his user/pass My client (A) has got a new damn template which has a "username" and "password" field in it, he wants me to make it so that whenever B enters his username and pass he gets logged into cpanel. My questions: How do I know where to send the data? (eg: which is the authenticating file?) Do I pass it as a GET or a POST or what? URL encode? You need to tell the browser to use the log in credentials, this is done by redirecting the browser to http://username:[EMAIL PROTECTED]/. However this does not work with IE with the latest security patch installed, I think. It forbids to set username and password in a url. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP - Basic Auth - Cpanel
> > My questions: > > How do I know where to send the data? (eg: which is the authenticating > > file?) > > Do I pass it as a GET or a POST or what? URL encode? > > You need to tell the browser to use the log in credentials, this is done > by redirecting the browser to http://username:[EMAIL PROTECTED]/. > > However this does not work with IE with the latest security patch > installed, I think. It forbids to set username and password in a url. Yep, had that problem. MS always to the rescue to complicate and screw up set standards. Any work arounds on how to do it if the person is running IE with the latest patch? Cheers, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP - Basic Auth - Cpanel
This is a problem I had with my onw control panel for letting logged in users use phpmyAdmin. I just setted in the redirection script the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] so the popup dont show up. But if cpanel dont use PHP, and just passwd file with an .htaccess file, NO WAY to accomplish what you want. I've spent hours trying to figure it out. I also tried to set some vars in the HTTP headers and then redirect using mod_rewrite of apache, and nothing, no way. Please, let us know if you find the solution. Thanks a lot! H Marino On Fri, 9 Apr 2004 01:12:25 +0200, Ryan A wrote: > > My questions: > > How do I know where to send the data? (eg: which is the authenticating > > file?) > > Do I pass it as a GET or a POST or what? URL encode? > > You need to tell the browser to use the log in credentials, this is done > by redirecting the browser to http://username:[EMAIL PROTECTED]/. > > However this does not work with IE with the latest security patch > installed, I think. It forbids to set username and password in a url. Yep, had that problem. MS always to the rescue to complicate and screw up set standards. Any work arounds on how to do it if the person is running IE with the latest patch? Cheers, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
