Re: [PHP] HTTP Authentication [ SOLVED ]
On Wed, Nov 19, 2008 at 12:47 PM, Thiago H. Pojda <[EMAIL PROTECTED]> wrote: > On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard <[EMAIL PROTECTED]> wrote: >> >> On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda <[EMAIL PROTECTED]> >> wrote: >> > Guys, >> > >> > I have to access a WS that uses HTTP auth directly with PHP. >> > >> > I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't >> > get it >> > working. I believe it has something to do with the password containing a >> > # >> > (can't change it) and the browser thinks it's an achor or something. >> > >> > All I've seen were scripts to implement HTTP Auth in PHP, nothing about >> > actually logging in with PHP. >> > >> > Is it possible to send the authentication headers the first time I >> > access >> > the link? I could send all necessary headers to the page I'm trying to >> > access and retrieve it's content at once. >> > >> > >> > Thanks, >> > -- >> > Thiago Henrique Pojda >> > >> >> You're passing the username and password as part of a URL, so >> shouldn't the username and password be urlencoded? I'm thinking it >> will work if you replace the '#' sign with %23. >> >> Andrew > > I only tried thworing urlencode on everything, which obviously didn't work. > > Both ways worked, using %23 for '#' and the snippet from Nathan. > > > Thanks a lot everyone, I was about to build all the headers and stuff :P > > Regards, > -- > Thiago Henrique Pojda > Yes. If you go that route, you have to separately urlencode each piece of data rather than the whole URL because you don't want the valid delimiters like the colon, @ symbol, slashes, etc. to get encoded. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication [ SOLVED ]
On Wed, Nov 19, 2008 at 2:49 PM, Boyd, Todd M. <[EMAIL PROTECTED]> wrote: > > -Original Message- > > From: Thiago H. Pojda [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, November 19, 2008 11:47 AM > > To: Andrew Ballard > > Cc: PHP-General List > > Subject: Re: [PHP] HTTP Authentication [ SOLVED ] > > > > On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard <[EMAIL PROTECTED]> > > wrote: > > > > > On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda > > <[EMAIL PROTECTED]> > > > wrote: > > > > Guys, > > > > > > > > I have to access a WS that uses HTTP auth directly with PHP. > > > > > > > > I've tried using the usual http://user:[EMAIL PROTECTED]/ but I > > couldn't > > > get it > > > > working. I believe it has something to do with the password > > containing a > > > # > > > > (can't change it) and the browser thinks it's an achor or > > something. > > > > > > > > All I've seen were scripts to implement HTTP Auth in PHP, nothing > > about > > > > actually logging in with PHP. > > > > > > > > Is it possible to send the authentication headers the first time I > > access > > > > the link? I could send all necessary headers to the page I'm > trying > > to > > > > access and retrieve it's content at once. > > > > > > > > > > > > Thanks, > > > > -- > > > > Thiago Henrique Pojda > > > > > > > > > > You're passing the username and password as part of a URL, so > > > shouldn't the username and password be urlencoded? I'm thinking it > > > will work if you replace the '#' sign with %23. > > > > > > Andrew > > > > > > > I only tried thworing urlencode on everything, which obviously didn't > > work. > > > > Both ways worked, using %23 for '#' and the snippet from Nathan. > > > > > > Thanks a lot everyone, I was about to build all the headers and stuff > > :P > > "All the headers," meaning 2? :) Glad to hear you've solved your > problem, anyway.. > > > // Todd > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Haha, yes, 'all' those :) I thought there were many more, thankfully it only needed Basic and the other - which I forgot now. Thank you too :) -- Thiago Henrique Pojda
RE: [PHP] HTTP Authentication [ SOLVED ]
> -Original Message- > From: Thiago H. Pojda [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 19, 2008 11:47 AM > To: Andrew Ballard > Cc: PHP-General List > Subject: Re: [PHP] HTTP Authentication [ SOLVED ] > > On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard <[EMAIL PROTECTED]> > wrote: > > > On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda > <[EMAIL PROTECTED]> > > wrote: > > > Guys, > > > > > > I have to access a WS that uses HTTP auth directly with PHP. > > > > > > I've tried using the usual http://user:[EMAIL PROTECTED]/ but I > couldn't > > get it > > > working. I believe it has something to do with the password > containing a > > # > > > (can't change it) and the browser thinks it's an achor or > something. > > > > > > All I've seen were scripts to implement HTTP Auth in PHP, nothing > about > > > actually logging in with PHP. > > > > > > Is it possible to send the authentication headers the first time I > access > > > the link? I could send all necessary headers to the page I'm trying > to > > > access and retrieve it's content at once. > > > > > > > > > Thanks, > > > -- > > > Thiago Henrique Pojda > > > > > > > You're passing the username and password as part of a URL, so > > shouldn't the username and password be urlencoded? I'm thinking it > > will work if you replace the '#' sign with %23. > > > > Andrew > > > > I only tried thworing urlencode on everything, which obviously didn't > work. > > Both ways worked, using %23 for '#' and the snippet from Nathan. > > > Thanks a lot everyone, I was about to build all the headers and stuff > :P "All the headers," meaning 2? :) Glad to hear you've solved your problem, anyway.. // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication [ SOLVED ]
On Wed, Nov 19, 2008 at 12:15 PM, Andrew Ballard <[EMAIL PROTECTED]> wrote: > On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda <[EMAIL PROTECTED]> > wrote: > > Guys, > > > > I have to access a WS that uses HTTP auth directly with PHP. > > > > I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't > get it > > working. I believe it has something to do with the password containing a > # > > (can't change it) and the browser thinks it's an achor or something. > > > > All I've seen were scripts to implement HTTP Auth in PHP, nothing about > > actually logging in with PHP. > > > > Is it possible to send the authentication headers the first time I access > > the link? I could send all necessary headers to the page I'm trying to > > access and retrieve it's content at once. > > > > > > Thanks, > > -- > > Thiago Henrique Pojda > > > > You're passing the username and password as part of a URL, so > shouldn't the username and password be urlencoded? I'm thinking it > will work if you replace the '#' sign with %23. > > Andrew > I only tried thworing urlencode on everything, which obviously didn't work. Both ways worked, using %23 for '#' and the snippet from Nathan. Thanks a lot everyone, I was about to build all the headers and stuff :P Regards, -- Thiago Henrique Pojda
Re: [PHP] HTTP Authentication
On Wed, Nov 19, 2008 at 9:26 AM, Thiago H. Pojda <[EMAIL PROTECTED]> wrote: > Guys, > > I have to access a WS that uses HTTP auth directly with PHP. > > I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get > it > working. I believe it has something to do with the password containing a # > (can't change it) and the browser thinks it's an achor or something. > > All I've seen were scripts to implement HTTP Auth in PHP, nothing about > actually logging in with PHP. > > Is it possible to send the authentication headers the first time I access > the link? I could send all necessary headers to the page I'm trying to > access and retrieve it's content at once. > > > Thanks, > -- > Thiago Henrique Pojda > You're passing the username and password as part of a URL, so shouldn't the username and password be urlencoded? I'm thinking it will work if you replace the '#' sign with %23. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP Authentication
> -Original Message- > From: Craige Leeder [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 19, 2008 8:35 AM > To: Thiago H. Pojda > Cc: PHP-General List > Subject: Re: [PHP] HTTP Authentication > > Thiago H. Pojda wrote: > > Guys, > > > > I have to access a WS that uses HTTP auth directly with PHP. > > > > I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't > get it > > working. I believe it has something to do with the password > containing a # > > (can't change it) and the browser thinks it's an achor or something. > > > > All I've seen were scripts to implement HTTP Auth in PHP, nothing > about > > actually logging in with PHP. > > > > Is it possible to send the authentication headers the first time I > access > > the link? I could send all necessary headers to the page I'm trying > to > > access and retrieve it's content at once. > > > > > > Thanks, > > > > > Why don't you let yourself in regardless of the credentials and print > them out to make sure they're being evaluated as you expect. Well... he said he needs to access a WS, not that he administrates it or has any control over the authentication, etc. As for the Basic Authentication, I believe you can send the authentication info in the headers (instead of the URL). If you have problems implementing that in straight PHP, perhaps cURL could be of some assistance. http://www.httprevealer.com/article_basic_authentication.htm - this outlines the header formats, etc... just remember--you will need to Base64 encode "username:password" for the "Authorization" header. HTH, // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication
On Wed, Nov 19, 2008 at 11:34 AM, Craige Leeder <[EMAIL PROTECTED]> wrote: > Thiago H. Pojda wrote: > >> Guys, >> >> I have to access a WS that uses HTTP auth directly with PHP. >> >> I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get >> it >> working. I believe it has something to do with the password containing a # >> (can't change it) and the browser thinks it's an achor or something. >> >> All I've seen were scripts to implement HTTP Auth in PHP, nothing about >> actually logging in with PHP. >> >> Is it possible to send the authentication headers the first time I access >> the link? I could send all necessary headers to the page I'm trying to >> access and retrieve it's content at once. >> >> >> Thanks, >> >> > Why don't you let yourself in regardless of the credentials and print them > out to make sure they're being evaluated as you expect. > > - Craige > I can' t change the WebService, it's not mine. If it were, I could manage to test some stuff but now all I can do is type it's address in my browser, login and see the content I want my app to see. Thanks, -- Thiago Henrique Pojda
Re: [PHP] HTTP Authentication
Thiago H. Pojda wrote: Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, Why don't you let yourself in regardless of the credentials and print them out to make sure they're being evaluated as you expect. - Craige -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication
Guys, I have to access a WS that uses HTTP auth directly with PHP. I've tried using the usual http://user:[EMAIL PROTECTED]/ but I couldn't get it working. I believe it has something to do with the password containing a # (can't change it) and the browser thinks it's an achor or something. All I've seen were scripts to implement HTTP Auth in PHP, nothing about actually logging in with PHP. Is it possible to send the authentication headers the first time I access the link? I could send all necessary headers to the page I'm trying to access and retrieve it's content at once. Thanks, -- Thiago Henrique Pojda
[PHP] http authentication with safe mode enabled?!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi to you all. I've been pulling my hair out over this issue and I really hope YOU can help me. A part of the website that I'm having the problems with should be password protected (nothing much, just to have a slight notion of it not being publicly available, so no SSL or other Stuff) so I wrote this function based on an example from the php manual which does just that. Problem is that on my ISPs server safe_mode is enabled and so as it says in the manual: | As of PHP 4.3.0, in order to prevent someone from writing a script | which reveals the password for a page that was authenticated through | a traditional external mechanism, the PHP_AUTH variables will not be | set if external authentication is enabled for that particular page | and safe mode is enabled. Regardless, REMOTE_USER can be used to | identify the externally-authenticated user. So, you can use | $_SERVER['REMOTE_USER']. My code looks like this: function auth($file) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; $http_401 = './auth/unauthorized.html'; $realm = 'Intern'; if (!isset($username) || !isset($password)) { header("WWW-Authenticate: Basic realm=\"$realm\""); header('HTTP/1.0 401 Unauthorized'); include $http_401; } else { if (($username != 'XXX') && (crypt($password, 'XX') != 'X')) { include $http_401; } else { include $file; } ~ } } Now as you can see I'm also checking wether there was no password entered in contrast to the example from the manual. Of course I could leave that part out and set $username = $_SERVER['REMOTE_USER']; But how the hell am I supposed to check for a correct password if $_SERVER['PHP_AUTH_PW'] is not set? If safe mode is disabled everything works just fine (checked on my on box with apache 1.3), so in theory it's working. Please help me guys I'd be grateful for any help provided. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCPXCen0kyIx7rF68RAmq5AJsHC5HIm4lvnHp3gbOVVR0NcArTkwCgj7y5 8cU2qnxDeeWaDDIeFElroQk= =F0Wq -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication in include()
--- Matt Wondra <[EMAIL PROTECTED]> wrote: > I'm trying to include a file from an HTTP Authenticated server > in PHP. I have a valid username and password. Is there any way > to remotely login and include the file? > > Ex: > > include("https://www.url.com/incl1.php";); When allow_url_fopen is enabled, you can include a remote URL, similar to what you've shown. What PHP does for you is send an HTTP request to the remote server, receive the response, and include the content just as if you included a local file. It is this request that PHP sends that needs to have the Authorization header. To my knowledge, there is no way to add your own headers to this request made on your behalf, although you could certainly hack PHP's source to allow such a thing. What you can do is write your own code to make a request. I'll give you a quick example, but keep in mind that I'm just typing this out in an email, and it is likely to contain bugs. :-) -- $username = 'myuser'; $password = 'mypass'; $host = 'example.org'; $path = '/path/to/script.php'; $authorization = base64_encode("$username:$password); $http_response = ''; $fp = fsockopen($host, 80); fputs($fp, "GET $path HTTP/1.1\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "Authorization: $authorization\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $data); while (!feof($fp)) { $http_response .= fgets($fp, 128); } fclose($fp); -- Your example cites a URL with the https scheme. To speak SSL, this example will of course require some enhancements, but hopefully this answers your question. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication in include()
On Friday 03 September 2004 05:27, Matt Wondra wrote: > I'm trying to include a file from an HTTP Authenticated server in PHP. I > have a valid username and password. Is there any way to remotely login and > include the file? > > Ex: > > include("https://www.url.com/incl1.php";); // Trying to include from > password-protected site include('https://user:[EMAIL PROTECTED]/incl1.php') -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* I am the wandering glitch -- catch me if you can. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication in include()
Howdy. I'm trying to include a file from an HTTP Authenticated server in PHP. I have a valid username and password. Is there any way to remotely login and include the file? Ex: include("https://www.url.com/incl1.php";); // Trying to include from password-protected site How do I get past the 401 Authorization Required errors? Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP Authentication take so long, why??OT
[snip] I am wondering why is the HTTP Authentication is taking so long to pop-up once the link/button is clicked. Like 2 minutes I'm using Apache and there is no PHP being used for HTTP Authentication stuffs as I thought it did. I thought one of you might know of this because of previous experience. The database is not hte issue here, the firewall is not the issue here and the webserver is at offsite. I think it is something with Apache or the SSL part.. This webpage is on the SSL part... [/snip] Maybe an Apache list would help you much more quickly. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication take so long, why??
Hi! I am wondering why is the HTTP Authentication is taking so long to pop-up once the link/button is clicked. Like 2 minutes I'm using Apache and there is no PHP being used for HTTP Authentication stuffs as I thought it did. I thought one of you might know of this because of previous experience. The database is not hte issue here, the firewall is not the issue here and the webserver is at offsite. I think it is something with Apache or the SSL part.. This webpage is on the SSL part... --snip-- Admin Login --snip-- The httpd.conf in Apache is ... --snip-- Options FollowSymLinks ExecCGI DirectoryIndex main_menu.php AllowOverride All Order deny,allow AuthName "-= DB2 Database Administration Realm =-" AuthType Basic AuthUserFile /usr/local/apache/conf/db2_access require valid-user AuthGroupFile /dev/null --snip-- Thanks, FletchSOD -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] http authentication through PHP
Scott Taylor wrote: What is the easiest way to access a page that is protected by HTTP basic authentication through PHP? In other words, I have a PHP page that will get the username and password off a database and will then login through HTTP authentication to access a second page (say an HTML page). I believe Snoopy can do this http://snoopy.sourceforge.net -- Burhan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] http authentication through PHP
--- Scott Taylor <[EMAIL PROTECTED]> wrote: > What is the easiest way to access a page that is protected by HTTP > basic authentication through PHP? You should be able to indicate the username and password in the URL: http://username:[EMAIL PROTECTED]/path/to/script.php Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] http authentication through PHP
What is the easiest way to access a page that is protected by HTTP basic authentication through PHP? In other words, I have a PHP page that will get the username and password off a database and will then login through HTTP authentication to access a second page (say an HTML page). Best regards, Scott Taylor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication thru PHP
Jay Blanchard wrote: Or colons. It is a Bad Practice[tm] to use any special characters in user names and/or passwords. It is not universally allowed from OS to OS I disagree with this : special characters are useful to have better passwords (more difficult to crack), but as apache stores the souples login:password_crypt, of course : is the only really forbidden character. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP Authentication thru PHP
[snip] I think I can remember semi-colon is not allowed in apache logins or passwords... >But the above is not working when the $username contains a trailing >semicolon >or when the $password is starting with a semicolon, >Ex: what if the $username ="chandu:" [/snip] Or colons. It is a Bad Practice[tm] to use any special characters in user names and/or passwords. It is not universally allowed from OS to OS -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Authentication thru PHP
I think I can remember semi-colon is not allowed in apache logins or passwords... Chandu Nannapaneni wrote: hello all , I'm able to get successfully http authenticated from my php scripts Ex : $header = "POST /myscript.php HTTP/1.0\r\nAuthorization: Basic "; $header .= base64_encode("$username:$password")."\r\n"; $header .= "Content-type: application/x-www-form-urlencoded\r\n"; $fp = fsockopen($IP, $PORT, $errno, $errstr); if ($fp) { fputs($fp, $header . $request); while (!feof($fp)) { $response .= fgets($fp, 128); } } But the above is not working when the $username contains a trailing semicolon or when the $password is starting with a semicolon, Ex: what if the $username ="chandu:" Is there any solution for this ? /Chandu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP Authentication thru PHP
Hi, > But the above is not working when the $username contains a trailing > semicolon > or when the $password is starting with a semicolon, > Ex: what if the $username ="chandu:" > > Is there any solution for this ? You could use str_replace to strip those before they get used. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP Authentication thru PHP
hello all , I'm able to get successfully http authenticated from my php scripts Ex : $header = "POST /myscript.php HTTP/1.0\r\nAuthorization: Basic "; $header .= base64_encode("$username:$password")."\r\n"; $header .= "Content-type: application/x-www-form-urlencoded\r\n"; $fp = fsockopen($IP, $PORT, $errno, $errstr); if ($fp) { fputs($fp, $header . $request); while (!feof($fp)) { $response .= fgets($fp, 128); } } But the above is not working when the $username contains a trailing semicolon or when the $password is starting with a semicolon, Ex: what if the $username ="chandu:" Is there any solution for this ? /Chandu
[PHP] HTTP Authentication does not work
I have tried using HTTP Authentication as described in the documentation. But it does not matter how many times i type in login/password, the popup keeps coming back. The server, mandrake 9.1, uses safe mode, so PHP_AUTH_USER and PHP_AUTH_PW does not work. $_SERVER['REMOTE_USER'] does not work either. Does anyone have any ideas? Peter Holmberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP-authentication
Hiya people, I am building a admin page for a guestbook and i want more people to be able to log in. I have made a table in the database called user(gebruikers) wich keeps both a loginname(loginnaam) and password. I have 2 users in this table right now. Now i ve a problem.. I can login with the first person (myself), but i am unable to login with the second user. Here is my code, i hope someone can help me..:) Thanks already.. Best regards, Davy Obdam, mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP authentication - de authentication
>From: "vic" <[EMAIL PROTECTED]> > Sent: Saturday, August 10, 2002 11:24 AM >Subject: [PHP] HTTP authentication - de authentication > How does one logout from such an authentication? There's no way to logout. Use a session based authentication. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP authentication - de authentication
How does one logout from such an authentication? I know that through a HTTP status code, but how exactly? Everything I tried allows the browser to view the page info after "logout" if the user hits the back button. The only way I found it works if the user closes the browser window, but I can't make sure they do, so *how do I make sure they do?* Is there a script to better de-autheticate from such an authentication method, or to make the browser close the window? // ___ AUTHENTICATION SCRIPT _ $auth = false; if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW)) { // Connect to MySQL mysql_connect( 'xxx', 'xxx', 'xxx' ) or die ( 'Unable to connect to server.' ); // Select database on MySQL server mysql_select_db( 'xxx' ) or die ( 'Unable to select database.' ); // Formulate the query $sql = "SELECT * FROM xxx WHERE user_id = '$PHP_AUTH_USER' AND password = PASSWORD('$PHP_AUTH_PW')"; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = mysql_numrows( $result ); // A matching row was found - the user is authenticated. if ( $num != 0 ) { $auth = true; // End do the check } //STOP AUTHETICATION SCRIPT EXAMPLE __ //_ LOGOUT SCRIP EXAMPLE // the "logout" link would look like: //Logout if (isset($logout)) { header('status: 401 Unauthorized'); header('WWW-Authenticate: Basic realm="Private"'); header('HTTP/1.0 403 Forbidden'); echo ('You have successfully logged out.'); ?> http://personals.yahoo.ca -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP authentication
Hi, Thanks for the explaination. But that code does not pop up any login window. Do I need to do any settings for that?? --- Matt Schroebel <[EMAIL PROTECTED]> wrote: > > From: Varsha Agarwal > [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, July 10, 2002 4:30 PM > > >I thought it will ask some user name and > > password thing but it just displays me the string > > "text to send if user hits cancel". > > This is the code: > > > > > header("WWW-Authenticate: Basic realm=\"My > Realm\""); > > ^^ > Get rid of the above statement > > > > > if (!isset($_SERVER['PHP_AUTH_USER'])) { > > header("WWW-Authenticate: Basic realm=\"My > > Realm\""); > > header("HTTP/1.0 401 Unauthorized"); > > echo "Text to send if user hits Cancel > button\n"; > > exit; > > } else { > > echo "Hello > {$_SERVER['PHP_AUTH_USER']}."; > > echo "You entered {$_SERVER['PHP_AUTH_PW']} > as > > your password."; > > } > > ?> > > header("WWW-Authenticate: Basic realm=\"My > Realm\""); > header("HTTP/1.0 401 Unauthorized"); > ?> > > The above two statements will cause the browser to > pop up the login window and pass any input > (including none) back to the page. Any user input > will be in the two $_SERVER vars. Typically you'd > validate this with a db or something, and allow > access if the user id and password validate. HTTP > Auth in HTTP/1.0 isn't secure as the credentials are > sent clear text to the server on every GET request, > so on a page with images and such it's sent several > times. Also, there's no way to sign out other then > closing all of the browser windows. It's better to > design a session based solution, with a login page, > and set a session variable(s) indicating the > authorized so the user id/password are only sent > once, and you can control session timeout to require > re-logging in after some interval of inactivity. > You'd also have to consider session hijacking, which > is covered in the archives. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP authentication
> From: Varsha Agarwal [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 10, 2002 4:30 PM >I thought it will ask some user name and > password thing but it just displays me the string > "text to send if user hits cancel". > This is the code: > > header("WWW-Authenticate: Basic realm=\"My Realm\""); ^^ Get rid of the above statement > > if (!isset($_SERVER['PHP_AUTH_USER'])) { > header("WWW-Authenticate: Basic realm=\"My > Realm\""); > header("HTTP/1.0 401 Unauthorized"); > echo "Text to send if user hits Cancel button\n"; > exit; > } else { > echo "Hello {$_SERVER['PHP_AUTH_USER']}."; > echo "You entered {$_SERVER['PHP_AUTH_PW']} as > your password."; > } > ?> The above two statements will cause the browser to pop up the login window and pass any input (including none) back to the page. Any user input will be in the two $_SERVER vars. Typically you'd validate this with a db or something, and allow access if the user id and password validate. HTTP Auth in HTTP/1.0 isn't secure as the credentials are sent clear text to the server on every GET request, so on a page with images and such it's sent several times. Also, there's no way to sign out other then closing all of the browser windows. It's better to design a session based solution, with a login page, and set a session variable(s) indicating the authorized so the user id/password are only sent once, and you can control session timeout to require re-logging in after some interval of inactivity. You'd also have to consider session hijacking, which is covered in the archives. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP authentication
Hi, I am reading HTTP authentication in php manual. It does not explain it from the basics of it. Can anyone tell me what exactly will the output of the following code? I thought it will ask some user name and password thing but it just displays me the string "text to send if user hits cancel". This is the code Hello {$_SERVER['PHP_AUTH_USER']}."; echo "You entered {$_SERVER['PHP_AUTH_PW']} as your password."; } ?> __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] HTTP AUTHENTICATION Solution
Here is a solution I developed for the HTTP AUTHENTICATION on that buggy Internet Explorer. I want some feedbacks, improvements, Comments... Bharath (B. h. Loh.) bharath_b_lohray (at) yahoo.com Please correspond via email for my convinience and also on the News Group for the benifit of the Php Developers... === START OF SOURCE CODE [lohauthsol.php]=== $err$errCould not log you in. TRY AGAIN"; } //Procedure to ask username and password by //HTTP AUTHENTICATION function ask() { header("WWW-Authenticate: Basic realm=\"1024x1024.net Administration\""); header("HTTP/1.0 401"); er("Unauthorized"); exit; } //BEGIN MAIN PROGRAMME if ((!isset($PHP_AUTH_USER))||(!verify($PHP_AUTH_USER,$PHP_AUTH_PW))) { ask(); } else { echo "OK"; exit; } ?> === END OF SOURCE CODE === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication problems
Hello, I'm working on a website for what will eventually be free PHP/MySQL/Apache/DNS/etc hosting (see: http://hosting.venura.net , no requests for accounts will be entertained right now), and am having problems trying to get HTTP Authentication working. I had it working a month or so ago, but then I put the project on hold for awhile and came back to a mess that wasn't -- don't know how unless I somehow broke it just before I quit working on it. Anyways, I'm running PHP 4.1.0 (had same problems with 4.0.6 earlier so I know it's not some weird bug with the new version), Apache 1.3.22+mod_ssl and Linux 2.4. I'm working (for now) with a small test script containing this (and running on SSL, which I had no problems with earlier.) --- http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> [secure]venura.net :: Unauthorized --- The idea being that I can see the username/password entered in the authentication box itself. Anyways, though the 401 part works and actually brings up the typical "Enter Username/Password" box, $PHP_AUTH_USER and $PHP_AUTH_PW are not being set. Neither is $REMOTE_USER. There are no .htaccess files in the directory (or any parent dirs for that matter), and no AuthType directives all in my httpd.conf file. I have been unsuccessful in determining what is wrong, and am flat out of ideas. My php.ini and httpd.conf files are available at http://hosting.venura.net/fixme/ Any ideas? -- Daniel Grace -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication
the HTTP authentication of using a form uses Sessions! Check out the following URL: http://www.devshed.com/Server_Side/PHP/Commerce2/ I followed the above URL to create a user authentication page using Sessions. Peter On Mon, 22 Oct 2001, [ISO-8859-1] Stig-Ørjan Smelror wrote: > Wilbert Enserink wrote: > > > Hi all, > > > > > > is it possible to do a HTTP Authentication with my own loginform instead of > > using the ugly pop up window? > > > > > > regards, > > > > Wilbert > > > > > With a lot of thought, yes. > You need to consider a few factors before you start. > > Security: Checking the IP address of the user. > Performance: to DB or not to DB, that is the question! > Security again: what kind of password algoritm are you going to use. > > And so on and so forth. > > I wish you the best of luck. I made such a script just a month ago :) > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication
Wilbert Enserink wrote: > Hi all, > > > is it possible to do a HTTP Authentication with my own loginform instead of > using the ugly pop up window? > > > regards, > > Wilbert > With a lot of thought, yes. You need to consider a few factors before you start. Security: Checking the IP address of the user. Performance: to DB or not to DB, that is the question! Security again: what kind of password algoritm are you going to use. And so on and so forth. I wish you the best of luck. I made such a script just a month ago :) -- Stig-Ørjan Smelror Systemutvikler Linux Communications AS Sandakerveien 48b Box 1801 - Vika N-0123 Oslo, Norway tel. +47 22 09 28 80 fax. +47 22 09 28 81 http://www.lincom.no/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication
Hi all, is it possible to do a HTTP Authentication with my own loginform instead of using the ugly pop up window? regards, Wilbert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication / Logging Out
how secure is either method? the form method would be more secure if it was done over https correct? tonyz Martín marqués wrote: > > On Lun 01 Oct 2001 19:36, you wrote: > > I used a pretty basic system to check HTTP authentication values against > > database values, but I can't seem to find a way to allow the user to log > > out. I tried: > > > > unset($PHP_AUTH_USER) > > > > but Internet Explorer hangs on to that value until all browser windows are > > closed. Is there any way around that? > > I (as lot of GPL projects) have droped HTTP authentification, and use there > own authentification. > Put a form with login and password, and save whatever you like in a session, > and thats it. > > Saludos... ;-) > > P.D.: Netscape also hangs with the variable PHP_AUTH_USER. > > -- > Porqué usar una base de datos relacional cualquiera, > si podés usar PostgreSQL? > - > Martín Marqués |[EMAIL PROTECTED] > Programador, Administrador, DBA | Centro de Telematica >Universidad Nacional > del Litoral > - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication / Logging Out
$PHP_AUTH_USER is filled in based on the value coming from the browser. unsetting it in PHP makes no sense as the browser is simply going to set it again on the next request. There is no way to clear this from the client-side short of changing the realm or denying the authentication with a 403. -Rasmus On Mon, 1 Oct 2001, Eric J Schwinder wrote: > I used a pretty basic system to check HTTP authentication values against > database values, but I can't seem to find a way to allow the user to log > out. I tried: > > unset($PHP_AUTH_USER) > > but Internet Explorer hangs on to that value until all browser windows are > closed. Is there any way around that? > > Thanks, > > Eric J Schwinder > eric.AT.bergencomputing.DOT.com > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication / Logging Out
I used a pretty basic system to check HTTP authentication values against database values, but I can't seem to find a way to allow the user to log out. I tried: unset($PHP_AUTH_USER) but Internet Explorer hangs on to that value until all browser windows are closed. Is there any way around that? Thanks, Eric J Schwinder eric.AT.bergencomputing.DOT.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] http authentication and php
On 23-Sep-2001 Jeff Bristow wrote: > I am trying to write a php script that will work around a http > authentication that I do have access to. I am trying to do this so that a > form process in my control panel can automatically have information sent to > it from a form that a user will fill out. However, my problem is in trying > to get PHP to automatically authenticate. > > > for example: I want to be able to call a url like this: > http://server.com/greendocks/locked/useradd.htm?user=blah&pass=blahbut > this url is behind a http authentication. Is it possible to have this url > called by a php script? > > And the second part of the question is can I do this process so it is > completely invisible to the user that this page has been called? Because of > course I don't want to allow users to have access to everything in my > control panel. > $host='server.com'; $url='/greendocks/locked/useradd.htm?user=blah&pass=blah'; $authuser='foo'; // blah ? $authpass='baz'; // blah ? $authenc=base64_encode("$authuser:$authpass"); $hdr =sprintf("GET %s HTTP/1.0\r\n", $url); $hdr .="Accept: text/html\r\nAccept: text/plain\r\n"; $hdr .="User-Agent: Mozilla/1.0 (PHP spoof)\r\n"; $hdr .="Authorization: Basic $authenc\r\n\r\n"; $fp = fsockopen($host , 80, &$errno, &$errstr, 30); if (!$fp) { die "$host open error: $errstr $errno .\n"; } fputs($fp,$hdr); while(!feof($fp)) { $buff=fgets($fp,1024); ... do yer thang } fclose($fp); Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] http authentication and php
Well the actual problem is that this file is behind a http authenticated directory. I actually don't want the users to know the login and password for it since it is the login for my control panel for my website. However, I do want to be able to execute a url, this is to allow users to create their own email addresses with pop access without requesting them from me all the time. I am just not sure if I can push the login and password for the authentication window that would normally pop up, so the file is executed behind the scenes, and the user would merely see a output of their username and password and information on how to login to their account which would be output as long as the file was able to be executed. Any ideas? "Evan Nemerson" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > if you just want to output the file to the user, > readfile("http://server.com/greendocks/locked/useradd.htm?user=blah&pass=bla h"); > should work. If you want to play with the file first, file() will put it in > an array, fopen() will create a file pointer to it, you could create your > very own HTTP session (if you know the protocol) with fsockopen()... i'm sure > there are more, but that's all you need (probably). I would probably use this: > > $file=implode("\n",file("http://server.com/greendocks/locked/useradd.htm?use r=blah&pass=blah")); > > if i wanted to place the whole thing in one variable, not an array. > > > > On Saturday 22 September 2001 20:39, you wrote: > > I am trying to write a php script that will work around a http > > authentication that I do have access to. I am trying to do this so that a > > form process in my control panel can automatically have information sent to > > it from a form that a user will fill out. However, my problem is in trying > > to get PHP to automatically authenticate. > > > > > > for example: I want to be able to call a url like this: > > http://server.com/greendocks/locked/useradd.htm?user=blah&pass=blah but > > this url is behind a http authentication. Is it possible to have this url > > called by a php script? > > > > And the second part of the question is can I do this process so it is > > completely invisible to the user that this page has been called? Because of > > course I don't want to allow users to have access to everything in my > > control panel. > > > > Hopefully someone knows what I'm getting at. Thanks for any help you may be > > able to provide. > > > > Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] http authentication and php
if you just want to output the file to the user, readfile("http://server.com/greendocks/locked/useradd.htm?user=blah&pass=blah";); should work. If you want to play with the file first, file() will put it in an array, fopen() will create a file pointer to it, you could create your very own HTTP session (if you know the protocol) with fsockopen()... i'm sure there are more, but that's all you need (probably). I would probably use this: $file=implode("\n",file("http://server.com/greendocks/locked/useradd.htm?user=blah&pass=blah";)); if i wanted to place the whole thing in one variable, not an array. On Saturday 22 September 2001 20:39, you wrote: > I am trying to write a php script that will work around a http > authentication that I do have access to. I am trying to do this so that a > form process in my control panel can automatically have information sent to > it from a form that a user will fill out. However, my problem is in trying > to get PHP to automatically authenticate. > > > for example: I want to be able to call a url like this: > http://server.com/greendocks/locked/useradd.htm?user=blah&pass=blahbut > this url is behind a http authentication. Is it possible to have this url > called by a php script? > > And the second part of the question is can I do this process so it is > completely invisible to the user that this page has been called? Because of > course I don't want to allow users to have access to everything in my > control panel. > > Hopefully someone knows what I'm getting at. Thanks for any help you may be > able to provide. > > Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] http authentication and php
I am trying to write a php script that will work around a http authentication that I do have access to. I am trying to do this so that a form process in my control panel can automatically have information sent to it from a form that a user will fill out. However, my problem is in trying to get PHP to automatically authenticate. for example: I want to be able to call a url like this: http://server.com/greendocks/locked/useradd.htm?user=blah&pass=blahbut this url is behind a http authentication. Is it possible to have this url called by a php script? And the second part of the question is can I do this process so it is completely invisible to the user that this page has been called? Because of course I don't want to allow users to have access to everything in my control panel. Hopefully someone knows what I'm getting at. Thanks for any help you may be able to provide. Jeff
RE: [PHP] HTTP authentication
Won't sending a 401 header do the trick? Not sure, but worth a try. Cheers Jon -Original Message- From: Boris [mailto:[EMAIL PROTECTED]] Sent: 31 August 2001 13:08 To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication Is there a way to force re-authentication without closing and re-opening the browser. Thanks Boris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication
Is there a way to force re-authentication without closing and re-opening the browser. Thanks Boris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication
Hi, I am using PHP to send a header to the browser requestiing authentication. On a successful login i am tracking inactivity by the client and want to expire the login once a timeout period is reached. Problem is if the session expires and the user just refreshes then the orignal login details are passed to the script. How do I get the client to forget the previous login details? Regards Jon -- Jon Farmer Systems Programmer, Entanet www.enta.net Tel 01952 428969 Mob 07968 524175 PGP Key available, send blank email to [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication and PHP
Hi all, I've been playing around with PHP authentication via HTTP. I'm using apache, and when i use the header('WWW_Auth...) headers i get a username/password dialog pop up (as i wanted). How do i get those values unset in the browser, so that i can get a user to re authenticate ? I need to get a user to re-auth part way through the use of the app i'm writing becasue they are deleting files from a file system. Also how would i allow them to logout and let someone else log in. The docs seemed to imply that the headers command should have repopped the auth box. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP-Authentication
Hei! I have a script, where people can log-in to administrate a site, but once they are logged in, what do i have to do to log them out again? I thought to write a logout-script which deletes the $HTTP_AUTH_USER variable, but it doesn't work. It seems that the user-data remains in memory until the browser is restarted. Please Help! Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication logout
I am using HTTP authentication to restrict access to certain pages and I want to add a logout option so that users must reauthenticate before being able to veiw the pages again. Here is the code I'm using to authenticate: This page requires a user name and password to view."); endPage(); } ?> For the logout option I tried just setting $PHP_AUTH_USER="" and $PHP_AUTH_PW="" but that didn't work. Any ideas on how I can do this? --- : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication with PHP
this seems to make my browsers not cache. header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); then add header("WWW-Authenticate: Basic realm='$SERVER_NAME' "); header("HTTP/1.0 401 Unauthorized"); to pop up a login box. -- Chris Lee [EMAIL PROTECTED] ""Chris"" <[EMAIL PROTECTED]> wrote in message 9e06jc$jel$[EMAIL PROTECTED]">news:9e06jc$jel$[EMAIL PROTECTED]... I have configured mod_auth_pam for Apache and secured a directory with an .htaccess file: AuthType Basic AuthName "Secure Area" require group staff require user chris Now, I would like to control the local browser window's authentication cache via PHP. For example, how do I clear the cache of a browser window thereby forcing the user to log back in? I have tried: Header( "WWW-authenticate: basic realm="Secure Area"); Header( "HTTP/1.0 401 Unauthorized"); but this isn't clearing the cache. Regards, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication with PHP
I have configured mod_auth_pam for Apache and secured a directory with an .htaccess file: AuthType Basic AuthName "Secure Area" require group staff require user chris Now, I would like to control the local browser window's authentication cache via PHP. For example, how do I clear the cache of a browser window thereby forcing the user to log back in? I have tried: Header( "WWW-authenticate: basic realm="Secure Area"); Header( "HTTP/1.0 401 Unauthorized"); but this isn't clearing the cache. Regards, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 08-May-01 Mauricio Souza Lima wrote: > > Cool, you have found another way! > So the realm make diference? A user loged in a realm isn't the same in > other realm? Very cool... Not quite, the realm is a string to present to the login dialog box it has no effect on the credentials in this example. But you could code such a thing. > Explain better your solution to us. > 'Kay > >> >> logoff.php3: >> >> $fname="tmp/$PHP_AUTH_USER"; >> touch($fname); create a lockfile tmp/loginname >> Header("Location: http://www.mydomain.com/index.html";); & send them to a non-protected page. >> >> secure.php3: >> >> function checklogin($user,$pass='',$realm='') { >> here $realm is some unused glue for orthagonal function() calls >> $fname="tmp/$user"; >> if (file_exists($fname)) { check if tmp/loginname exists >> unlink($fname); // delete it >> return(false); >> } if we got this far, they either 1. didn't hit logoff 2. they did and already got the 401-(Re)Authenticate >> $query="select login from users >> where login='$user' and password=PASSWORD('$pass')"; >> // echo $query .''; >> $result = mysql_query( $query); >> $row = mysql_fetch_object($result); >> if ($row) { >> return(true); >> } >> return(false); >> } >> Basically it's a spin-lock file that is checked on login ... could just as easily be done as a shared semaphore, DB entry, whatever. Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Cool, you have found another way! So the realm make diference? A user loged in a realm isn't the same in other realm? Very cool... Explain better your solution to us. Regards, Don Read wrote: > > On 07-May-01 Mauricio Souza Lima wrote: > > > And you have to inform the user to clean the password field, click ok, > > then the pop-up will open again, then user click in cancel. > > > > I just know that way to do. If anyone know another way, Postit! > > > > create a tmp directory > > > logoff.php3: > > require('secure.php3'); > authuser("Logoff"); // validate user (possible Dos attack here) > > $fname="tmp/$PHP_AUTH_USER"; > touch($fname); > Header("Location: http://www.mydomain.com/index.html";); > > - > > secure.php3: > > function checklogin($user,$pass='',$realm='') { > if (! dbInit()) { > echo "\n\n"; > die("Unable to contact database server"); > } > > $fname="tmp/$user"; > if (file_exists($fname)) { > unlink($fname); > return(false); > } > $query="select login from users > where login='$user' and password=PASSWORD('$pass')"; > // echo $query .''; > $result = mysql_query( $query); > $row = mysql_fetch_object($result); > if ($row) { > return(true); > } > return(false); > } > > function authheader($realm) { > Header('WWW-authenticate: basic realm="'.$realm .'"'); > Header('HTTP/1.0 401 Unauthorized'); > echo "\n\n"; > } > > function authuser($realm='Access') { > global $PHP_AUTH_USER, $PHP_AUTH_PW; > > if (! (isset($PHP_AUTH_USER)) ) { > authheader($realm); > exit; > } > if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) { > authheader($realm); > echo 'Failed Login'; > exit; > } > } > > Regards, > -- > Don Read [EMAIL PROTECTED] > -- It's always darkest before the dawn. So if you are going to >steal the neighbor's newspaper, that's the time to do it. -- Mauricio Souza Lima Programador - Catho ONLINE [EMAIL PROTECTED] www.catho.com.br [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On 07-May-01 Mauricio Souza Lima wrote: > And you have to inform the user to clean the password field, click ok, > then the pop-up will open again, then user click in cancel. > > I just know that way to do. If anyone know another way, Postit! > create a tmp directory logoff.php3: require('secure.php3'); authuser("Logoff"); // validate user (possible Dos attack here) $fname="tmp/$PHP_AUTH_USER"; touch($fname); Header("Location: http://www.mydomain.com/index.html";); - secure.php3: function checklogin($user,$pass='',$realm='') { if (! dbInit()) { echo "\n\n"; die("Unable to contact database server"); } $fname="tmp/$user"; if (file_exists($fname)) { unlink($fname); return(false); } $query="select login from users where login='$user' and password=PASSWORD('$pass')"; // echo $query .''; $result = mysql_query( $query); $row = mysql_fetch_object($result); if ($row) { return(true); } return(false); } function authheader($realm) { Header('WWW-authenticate: basic realm="'.$realm .'"'); Header('HTTP/1.0 401 Unauthorized'); echo "\n\n"; } function authuser($realm='Access') { global $PHP_AUTH_USER, $PHP_AUTH_PW; if (! (isset($PHP_AUTH_USER)) ) { authheader($realm); exit; } if (! (checklogin($PHP_AUTH_USER, $PHP_AUTH_PW, $realm)) ) { authheader($realm); echo 'Failed Login'; exit; } } Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I to have never been happy with the way PHP handles actual secure sessions. GameDesign was written to entirely use session based access. Both the main user site, and the admin backend use it, and it works quite well. - John Vanderbeck - Admin, GameDesign (http://gamedesign.incagold.com/) - GameDesign, the industry source for game design and development issues > -Original Message- > From: Robert Covell [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 9:14 AM > To: Martín Marqués; elias > Cc: [EMAIL PROTECTED] > Subject: RE: [PHP] HTTP authentication : logout!!! > > > I must support this fashion of "login" and "logout". I have > never been able > to find a way to clear the browser of the username and password. Once I > combined sessions with a date and timestamp in the realm, it worked like a > charm. > > Sincerely, > > Robert T. Covell > President / Owner > Rolet Internet Services, LLC > Web: www.rolet.com > Email: [EMAIL PROTECTED] > Phone: 816.210.7145 > Fax: 816.753.1952 > > -Original Message- > From: Martín Marqués [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 2:13 AM > To: elias > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] HTTP authentication : logout!!! > > > On Mar 08 May 2001 02:07, you wrote: > > Never tried it though...but can you try to empty or unset the > > $PHP_AUTH_USER/PWD ? > > This doesn't work, thats why I use a login html page and sessions. :-) > > Saludos... :-) > > -- > El mejor sistema operativo es aquel que te da de comer. > Cuida tu dieta. > - > Martin Marques |[EMAIL PROTECTED] > Programador, Administrador | Centro de Telematica >Universidad Nacional > del Litoral > - > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
I must support this fashion of "login" and "logout". I have never been able to find a way to clear the browser of the username and password. Once I combined sessions with a date and timestamp in the realm, it worked like a charm. Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.210.7145 Fax: 816.753.1952 -Original Message- From: Martín Marqués [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:13 AM To: elias Cc: [EMAIL PROTECTED] Subject: Re: [PHP] HTTP authentication : logout!!! On Mar 08 May 2001 02:07, you wrote: > Never tried it though...but can you try to empty or unset the > $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
On Mar 08 May 2001 02:07, you wrote: > Never tried it though...but can you try to empty or unset the > $PHP_AUTH_USER/PWD ? This doesn't work, thats why I use a login html page and sessions. :-) Saludos... :-) -- El mejor sistema operativo es aquel que te da de comer. Cuida tu dieta. - Martin Marques |[EMAIL PROTECTED] Programador, Administrador | Centro de Telematica Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication : logout!!!
$PHP_AUTH_USER = ""; $PHP_AUTH_PW = ""; Ought to do it. > From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 8:39 AM > To: [EMAIL PROTECTED] > Subject: [PHP] HTTP authentication : logout!!! > Now i woul like to create a logout link after clicking > on which, whenever you click on a page using auth, the > auth box should pop-up again and you must feed in your > user/pass. What should this logout page contain? what > coding do i have to do?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
It dont work, what you have to do is that: In the logout.php: -- Logout Sucessful -- And you have to inform the user to clean the password field, click ok, then the pop-up will open again, then user click in cancel. I just know that way to do. If anyone know another way, Postit! elias wrote: > > Never tried it though...but can you try to empty or unset the > $PHP_AUTH_USER/PWD ? > > -elias > http://www.eassoft.cjb.net > > ""Thomas Edison Jr."" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > i'm using http authentication for my php pages > > (members area). Once you login correctly, than you can > > access anypage as the authentication box doesn't > > pop-up. > > > > Now i woul like to create a logout link after clicking > > on which, whenever you click on a page using auth, the > > auth box should pop-up again and you must feed in your > > user/pass. What should this logout page contain? what > > coding do i have to do? > > From what i understand, there is a $auth which is > > "False" by default. When auth is succesfull, it > > contains "True". And once it's true, the auth box > > doesn't pop-up. I understand that probably clicking on > > this "logout" link should again make $auth false. But > > then $auth is on a lot of pages, how does this $auth > > on logout.php3 make all the other $auth's false? > > > > or is there some other way? > > > > the code i'm using for auth is : > > > > *** > > > $auth = false; // Assume user is not authenticated > > if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) { > > > > mysql_connect('localhost','root') or die ( > > 'Unable to connect to server.' ); > > mysql_select_db( 'skynet' ) or die ( 'Unable > > to select database.' ); > > > > // Formulate the query > > > > $sql = "SELECT * FROM register WHERE > > username = '$PHP_AUTH_USER' AND > > password = '$PHP_AUTH_PW'"; > > > > // Execute the query and put results in $result > > > > $result = mysql_query( $sql ) or die ( 'Unable to > > execute query.' ); > > > > // Get number of rows in $result. > > $num = mysql_numrows( $result ); > > if ( $num != 0 ) { > > > > // A matching row was found - the user is > > authenticated. > > > > $auth = true; > > } > > } > > > > if ( ! $auth ) { > > > > header( 'WWW-Authenticate: Basic realm="Private"' > > ); > > header( 'HTTP/1.0 401 Unauthorized' ); > > echo 'Authorization Required.'; > > exit; > > > > } else { > > > > %%stuff 2 do%% > > > > } > > ?> > > *** > > > > Regards, > > T. Edison jr. > > > > > > > > = > > Rahul S. Johari (Director) > > ** > > Abraxas Technologies Inc. > > Homepage : http://www.abraxastech.com > > Email : [EMAIL PROTECTED] > > Tel : 91-4546512/4522124 > > *** > > > > __ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great prices > > http://auctions.yahoo.com/ > > -- Mauricio Souza Lima Programador - Catho ONLINE [EMAIL PROTECTED] www.catho.com.br [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication : logout!!!
Never tried it though...but can you try to empty or unset the $PHP_AUTH_USER/PWD ? -elias http://www.eassoft.cjb.net ""Thomas Edison Jr."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > i'm using http authentication for my php pages > (members area). Once you login correctly, than you can > access anypage as the authentication box doesn't > pop-up. > > Now i woul like to create a logout link after clicking > on which, whenever you click on a page using auth, the > auth box should pop-up again and you must feed in your > user/pass. What should this logout page contain? what > coding do i have to do? > From what i understand, there is a $auth which is > "False" by default. When auth is succesfull, it > contains "True". And once it's true, the auth box > doesn't pop-up. I understand that probably clicking on > this "logout" link should again make $auth false. But > then $auth is on a lot of pages, how does this $auth > on logout.php3 make all the other $auth's false? > > or is there some other way? > > the code i'm using for auth is : > > *** > $auth = false; // Assume user is not authenticated > if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) { > > mysql_connect('localhost','root') or die ( > 'Unable to connect to server.' ); > mysql_select_db( 'skynet' ) or die ( 'Unable > to select database.' ); > > // Formulate the query > > $sql = "SELECT * FROM register WHERE > username = '$PHP_AUTH_USER' AND > password = '$PHP_AUTH_PW'"; > > // Execute the query and put results in $result > > $result = mysql_query( $sql ) or die ( 'Unable to > execute query.' ); > > // Get number of rows in $result. > $num = mysql_numrows( $result ); > if ( $num != 0 ) { > > // A matching row was found - the user is > authenticated. > > $auth = true; > } > } > > if ( ! $auth ) { > > header( 'WWW-Authenticate: Basic realm="Private"' > ); > header( 'HTTP/1.0 401 Unauthorized' ); > echo 'Authorization Required.'; > exit; > > } else { > > %%stuff 2 do%% > > } > ?> > *** > > Regards, > T. Edison jr. > > > > = > Rahul S. Johari (Director) > ** > Abraxas Technologies Inc. > Homepage : http://www.abraxastech.com > Email : [EMAIL PROTECTED] > Tel : 91-4546512/4522124 > *** > > __ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication : logout!!!
i'm using http authentication for my php pages (members area). Once you login correctly, than you can access anypage as the authentication box doesn't pop-up. Now i woul like to create a logout link after clicking on which, whenever you click on a page using auth, the auth box should pop-up again and you must feed in your user/pass. What should this logout page contain? what coding do i have to do? >From what i understand, there is a $auth which is "False" by default. When auth is succesfull, it contains "True". And once it's true, the auth box doesn't pop-up. I understand that probably clicking on this "logout" link should again make $auth false. But then $auth is on a lot of pages, how does this $auth on logout.php3 make all the other $auth's false? or is there some other way? the code i'm using for auth is : *** *** Regards, T. Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP authentication for username & password
Superb tutorial on Zend: http://www.zend.com/zend/tut/authentication.php HTH Jon -Original Message- From: Thomas Edison Jr. [mailto:[EMAIL PROTECTED]] Sent: 26 April 2001 13:03 To: [EMAIL PROTECTED] Subject: [PHP] HTTP authentication for username & password How can I use the HTTP authentication which pops up that little box in the screen asking for username & password for giving access to a page in PHP? ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication for username & password
How can I use the HTTP authentication which pops up that little box in the screen asking for username & password for giving access to a page in PHP? regards, T.Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication
I'm sure this wont' help, but just in case you may have missed the obvious (it happens sometimes)..Make sure you PHP script has the extension .PHP .. The server won't recognize it as a PHP file otherwise, and it won't know what to do with it. Also this extension has to be registred properly on the server, but that is beyond me. - John Vanderbeck - Admin, GameDesign - Original Message - From: "Thomas Edison Jr." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 15, 2001 2:07 AM Subject: [PHP] HTTP authentication > I was browsing thru the http authentication method > given thru the header() function in the manual. I > tried it out but it's not giving me the pop-up window > asking me the username and password and is only > writing the text given in the code on the page. > I'm using win98 and otherwise use sun solaris. Does > this function work on these two OS? > I have to write a code that checks each time a user > enters a page, his previously entered user/pwd so as > to prevent anyone from entering the page if he knows > and writes the page's URL in the address bar. I've > used the same authentication method in ASP before for > the same. Can I use it in my OS using PHP? > The code I'm entering is: > > if(!isset($PHP_AUTH_USER)) { > Header("WWW-Authenticate: Basic realm=\"My Realm\""); > Header("HTTP/1.0 401 Unauthorized"); > echo "Text to send if user hits Cancel button\n"; > exit; > } else { > echo "Hello $PHP_AUTH_USER."; > echo "You entered $PHP_AUTH_PW as your password."; > } > ?> > > Regards, > T.Edison jr. > > = > Rahul S. Johari (Director) > ** > Abraxas Technologies Inc. > Homepage : http://www.abraxastech.com > Email : [EMAIL PROTECTED] > Tel : 91-4546512/4522124 > *** > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP authentication
On Wed, Feb 14, 2001 at 11:07:46PM -0800, Thomas Edison Jr. wrote: > The code I'm entering is: > > if(!isset($PHP_AUTH_USER)) { > Header("WWW-Authenticate: Basic realm=\"My Realm\""); > Header("HTTP/1.0 401 Unauthorized"); > echo "Text to send if user hits Cancel button\n"; > exit; > } else { > echo "Hello $PHP_AUTH_USER."; > echo "You entered $PHP_AUTH_PW as your password."; > } > ?> I'm not sure what is wrong. I copied and pasted this onto my system and it works just fine. -- Jason Stechschulte [EMAIL PROTECTED] -- Soitainly. I was assuming that came with the OO-ness of it. -- Larry Wall in <[EMAIL PROTECTED]> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP authentication
I was browsing thru the http authentication method given thru the header() function in the manual. I tried it out but it's not giving me the pop-up window asking me the username and password and is only writing the text given in the code on the page. I'm using win98 and otherwise use sun solaris. Does this function work on these two OS? I have to write a code that checks each time a user enters a page, his previously entered user/pwd so as to prevent anyone from entering the page if he knows and writes the page's URL in the address bar. I've used the same authentication method in ASP before for the same. Can I use it in my OS using PHP? The code I'm entering is: "; echo "You entered $PHP_AUTH_PW as your password."; } ?> Regards, T.Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
El Mié 14 Feb 2001 13:44, Chris Lee escribió: > Ive found the same thing and currently do not have a workaround, it seems > that browsers cache this. one method Ive thought of and never tested is to > set a session variable, cross reference that SessionID, PHP_AUTH_PW, > PHP_AUTH_USER are all valid, if not then your not loged in correctly. to > log out just unset SessionID. any future pages will not load. even if the > PW/USER are valid the Session wouldnt. Don't unset the session ID, just destroy the session with session_destroy(). > If the browser has cookies disabled, you have compiled php with > --trans-sid, and the user uses the back button the user would still be able > to view cached pages. you might want to put some fancy no-cache headers in > there somewhere and hope the browser supports them. This feature is pretty cool. If it can't but a cookie in the browser, it expands the URL with the SID, which is all you need, because the variables you register are on the server side (file, database). Saludos... :-) -- System Administration: It's a dirty job, but someone told I had to do it. - Martín Marqués email: [EMAIL PROTECTED] Santa Fe - Argentinahttp://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
El Mié 14 Feb 2001 13:04, Toby Miller escribió: > Sorry, I meant common header, not footer. > > Inside my common "header" on my site .. > (which also includes the same "header") ... Don't worry, I understood it. ;-) -- System Administration: It's a dirty job, but someone told I had to do it. - Martín Marqués email: [EMAIL PROTECTED] Santa Fe - Argentinahttp://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
El Mié 14 Feb 2001 12:37, Toby Miller escribió: > Hey all, Hi, This is far to long, so I'll strip a part of it. > Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace > on the site they don't exist, until I go back to one of the protected > pages. Then they miraculously re-appear and are readily available once > again without requiring the user to log back in. Yes, thats because the browser saves those variables (very bad idea, but what can I say... I didn't write the code of netscape or IE). At this moment I just finished coding a session login, logout hack. So I will suggest you to read about sessions, read some articles in phpbuilder, phpwizard and the documentation. Saludos... :-) -- System Administration: It's a dirty job, but someone told I had to do it. - Martín Marqués email: [EMAIL PROTECTED] Santa Fe - Argentinahttp://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
Chris, I was afraid of that. I do have a contingency plan that is very similar to what you suggested. Since this is all already interacting with the database I'm just going to set a timestamp in the database in that users record and use that to determine if someone is logged in or not. This would also give me the added benefit of expiring sessions after a set period of inactivity. Then the login will require that PHP_AUTH_USER, PHP_AUTH_PW, and the session timestamp are all valid. This should take care of the problem. Unfortunately, the back button will still allow users to see cached pages from logged in sessions, but I guess you can't have everything. :-) Thanks, Toby - Original Message - From: "Chris Lee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 14, 2001 11:44 AM Subject: Re: [PHP] HTTP Authentication not getting unset > Ive found the same thing and currently do not have a workaround, it seems > that browsers cache this. one method Ive thought of and never tested is to > set a session variable, cross reference that SessionID, PHP_AUTH_PW, > PHP_AUTH_USER are all valid, if not then your not loged in correctly. to log > out just unset SessionID. any future pages will not load. even if the > PW/USER are valid the Session wouldnt. > > If the browser has cookies disabled, you have compiled php with --trans-sid, > and the user uses the back button the user would still be able to view > cached pages. you might want to put some fancy no-cache headers in there > somewhere and hope the browser supports them. > > you might even want to impliment a time based system, set the SessionID = > time() on every header; but first check if the current SessionID < 30min old > then invalid login vs updateing SessionID to equal current time() > > This would prevent anyone from viewing cached pages more then 30min old and > force them to re-login > > -- > > > Chris Lee > Mediawaveonline.com > > em. [EMAIL PROTECTED] > > ph. 250.377.1095 > ph. 250.376.2690 > fx. 250.554.1120 > > > > > > ""Toby Miller"" <[EMAIL PROTECTED]> wrote in message > 006901c0969f$cfcf2700$[EMAIL PROTECTED]">news:006901c0969f$cfcf2700$[EMAIL PROTECTED]... > > Sorry, I meant common header, not footer. > > > > Inside my common "header" on my site .. > > (which also includes the same "header") ... > > > > - Original Message - > > From: "Toby Miller" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, February 14, 2001 10:37 AM > > Subject: [PHP] HTTP Authentication not getting unset > > > > > > Hey all, > > > > New problem. I really hope there's something simple to do to fix it. Check > > out this scenario and tell me if there's a step that I'm missing. > > > > Inside my common footer on my site the very first call is to an include > > called UserAuth.inc.php. > > > > UserAuth.inc.php checks $REQUEST_URI to see if the present directory or > URL > > is protected or not. > > > > If it is protected then it checks to see if $PHP_AUTH_USER is set. If it > is > > then it runs through the usual HTTP Authentication. If it fails it goes to > a > > failure page, if it succeeds then it logs the user in. > > > > Now I can surf around on the site and that same authentication will > continue > > to be used for the rest of the site where ever another protected directory > > or file is found (as to be expected). > > > > Now to logout I have a page called logout.php. If you go to this page > (which > > also includes the same footer) there is another action that takes place. > > > > If the $REQUEST_URI contains logout.php then I print the same "401" header > > that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and > > $AUTH_USER. $AUTH_USER is the user authentication object in my class file > > UserAuth.class.php. I'm just unsetting this so that no code will still > have > > record of the old authentication object to do anything with. > > > > Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace > > on the site they don't exist, until I go back to one of the protected > pages. > > Then they miraculously re-appear and are readily available once again > > without requiring the user to log back in. > > > > If you've got any ideas, suggestions, guesses or references, please reply. > > I've run out of ideas. I can also provide the code that I'm using if you > > thin
Re: [PHP] HTTP Authentication not getting unset
Ive found the same thing and currently do not have a workaround, it seems that browsers cache this. one method Ive thought of and never tested is to set a session variable, cross reference that SessionID, PHP_AUTH_PW, PHP_AUTH_USER are all valid, if not then your not loged in correctly. to log out just unset SessionID. any future pages will not load. even if the PW/USER are valid the Session wouldnt. If the browser has cookies disabled, you have compiled php with --trans-sid, and the user uses the back button the user would still be able to view cached pages. you might want to put some fancy no-cache headers in there somewhere and hope the browser supports them. you might even want to impliment a time based system, set the SessionID = time() on every header; but first check if the current SessionID < 30min old then invalid login vs updateing SessionID to equal current time() This would prevent anyone from viewing cached pages more then 30min old and force them to re-login -- Chris Lee Mediawaveonline.com em. [EMAIL PROTECTED] ph. 250.377.1095 ph. 250.376.2690 fx. 250.554.1120 ""Toby Miller"" <[EMAIL PROTECTED]> wrote in message 006901c0969f$cfcf2700$[EMAIL PROTECTED]">news:006901c0969f$cfcf2700$[EMAIL PROTECTED]... > Sorry, I meant common header, not footer. > > Inside my common "header" on my site .. > (which also includes the same "header") ... > > - Original Message - > From: "Toby Miller" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, February 14, 2001 10:37 AM > Subject: [PHP] HTTP Authentication not getting unset > > > Hey all, > > New problem. I really hope there's something simple to do to fix it. Check > out this scenario and tell me if there's a step that I'm missing. > > Inside my common footer on my site the very first call is to an include > called UserAuth.inc.php. > > UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL > is protected or not. > > If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is > then it runs through the usual HTTP Authentication. If it fails it goes to a > failure page, if it succeeds then it logs the user in. > > Now I can surf around on the site and that same authentication will continue > to be used for the rest of the site where ever another protected directory > or file is found (as to be expected). > > Now to logout I have a page called logout.php. If you go to this page (which > also includes the same footer) there is another action that takes place. > > If the $REQUEST_URI contains logout.php then I print the same "401" header > that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and > $AUTH_USER. $AUTH_USER is the user authentication object in my class file > UserAuth.class.php. I'm just unsetting this so that no code will still have > record of the old authentication object to do anything with. > > Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace > on the site they don't exist, until I go back to one of the protected pages. > Then they miraculously re-appear and are readily available once again > without requiring the user to log back in. > > If you've got any ideas, suggestions, guesses or references, please reply. > I've run out of ideas. I can also provide the code that I'm using if you > think it might just be a problem with my logic. I don't think this is the > case as I shouldn't be able to read any variable that has been unset, but > like I said, I'm running out of ideas. > > System: RedHat 6.1-6 i686 Kernel 2.2.13 > Server: Apache 1.3.12 > PHP: 4.0.3pl1 > > Thanks, > Toby > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication not getting unset
Sorry, I meant common header, not footer. Inside my common "header" on my site .. (which also includes the same "header") ... - Original Message - From: "Toby Miller" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 14, 2001 10:37 AM Subject: [PHP] HTTP Authentication not getting unset Hey all, New problem. I really hope there's something simple to do to fix it. Check out this scenario and tell me if there's a step that I'm missing. Inside my common footer on my site the very first call is to an include called UserAuth.inc.php. UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL is protected or not. If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is then it runs through the usual HTTP Authentication. If it fails it goes to a failure page, if it succeeds then it logs the user in. Now I can surf around on the site and that same authentication will continue to be used for the rest of the site where ever another protected directory or file is found (as to be expected). Now to logout I have a page called logout.php. If you go to this page (which also includes the same footer) there is another action that takes place. If the $REQUEST_URI contains logout.php then I print the same "401" header that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and $AUTH_USER. $AUTH_USER is the user authentication object in my class file UserAuth.class.php. I'm just unsetting this so that no code will still have record of the old authentication object to do anything with. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. If you've got any ideas, suggestions, guesses or references, please reply. I've run out of ideas. I can also provide the code that I'm using if you think it might just be a problem with my logic. I don't think this is the case as I shouldn't be able to read any variable that has been unset, but like I said, I'm running out of ideas. System: RedHat 6.1-6 i686 Kernel 2.2.13 Server: Apache 1.3.12 PHP: 4.0.3pl1 Thanks, Toby -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication not getting unset
Hey all, New problem. I really hope there's something simple to do to fix it. Check out this scenario and tell me if there's a step that I'm missing. Inside my common footer on my site the very first call is to an include called UserAuth.inc.php. UserAuth.inc.php checks $REQUEST_URI to see if the present directory or URL is protected or not. If it is protected then it checks to see if $PHP_AUTH_USER is set. If it is then it runs through the usual HTTP Authentication. If it fails it goes to a failure page, if it succeeds then it logs the user in. Now I can surf around on the site and that same authentication will continue to be used for the rest of the site where ever another protected directory or file is found (as to be expected). Now to logout I have a page called logout.php. If you go to this page (which also includes the same footer) there is another action that takes place. If the $REQUEST_URI contains logout.php then I print the same "401" header that I print for authentication and unset $PHP_AUTH_USER, $PHP_AUTH_PW and $AUTH_USER. $AUTH_USER is the user authentication object in my class file UserAuth.class.php. I'm just unsetting this so that no code will still have record of the old authentication object to do anything with. Now if I try to read the $PHP_AUTH_USER or $PHP_AUTH_PW variables anyplace on the site they don't exist, until I go back to one of the protected pages. Then they miraculously re-appear and are readily available once again without requiring the user to log back in. If you've got any ideas, suggestions, guesses or references, please reply. I've run out of ideas. I can also provide the code that I'm using if you think it might just be a problem with my logic. I don't think this is the case as I shouldn't be able to read any variable that has been unset, but like I said, I'm running out of ideas. System: RedHat 6.1-6 i686 Kernel 2.2.13 Server: Apache 1.3.12 PHP: 4.0.3pl1 Thanks, Toby
Re: [PHP] HTTP Authentication w/IIS
>OK, I loaded PHP with the ISAPI filter, but still no luck with authentication.. Did you reboot? It is Windows... I think will tell you if you are actually using ISAPI or CGI or not... Maybe. -- Visit the Zend Store at http://www.zend.com/store/ Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication - Message 2
Dear Shane, Thanks for response. But when I use PHP3 and Apache than all is good. And when I use PHP4 (!!!) and Apache than Apache don't understanding header ('HTTP/1.0 401 Unauthorized'), and Apache's "error.log" consist of "Bad header=HTTP/1.0 401 Unauthorized: d:/program files/php/php.exe". Do you know what is the matter? Thanks in advance. Nick. - Original Message - From: Shane McBride <[EMAIL PROTECTED]> To: Nick Kostirya <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, February 07, 2001 7:06 PM Subject: Re: [PHP] HTTP Authentication > Nick, > > I'm not sure were you are getting the value of $PHP_AUTH_USER from, so you > might want to try this snippet. This causes a dialog box to open and ask for > a username/password. > > Also, in your code: you do not need to escape the quotes in the header. > > // Check to see if $PHP_AUTH_USER already contains info > if (!isset($PHP_AUTH_USER)) { > // If empty, send header causing dialog box to appear > header('WWW-Authenticate: Basic realm="Whatever You want to say"'); > header('HTTP/1.0 401 Unauthorized'); > echo 'Authorization Required!'; > exit; > } else if (isset($PHP_AUTH_USER)) { > if (($PHP_AUTH_USER !="abc") || ($PHP_AUTH_PW !="123")) { >header('WWW-Authenticate: Basic realm="Whatever You want to say"'); >header('HTTP/1.0 401 Unauthorized'); >echo 'Authorization Required!'; >exit; > } else { >// Start echo statement >echo "hello"; > } > } > ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP Authentication
Nick, I'm not sure were you are getting the value of $PHP_AUTH_USER from, so you might want to try this snippet. This causes a dialog box to open and ask for a username/password. Also, in your code: you do not need to escape the quotes in the header. - Original Message - From: "Nick Kostirya" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 07, 2001 10:27 AM Subject: [PHP] HTTP Authentication > Hi, all. > HTTP Authentication in PHP 4 - Apache don't work!!! > Help me. > Best. > __ >if(!isset($PHP_AUTH_USER)) { > Header("WWW-Authenticate: Basic realm=\"My Realm\""); > Header("HTTP/1.0 401 Unauthorized"); > echo "Text to send if user hits Cancel button\n"; > exit; > } else { > echo "Hello $PHP_AUTH_USER."; > echo "You entered $PHP_AUTH_PW as your password."; > } > ?> > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication
Hi, all. HTTP Authentication in PHP 4 - Apache don't work!!! Help me. Best. __ "; echo "You entered $PHP_AUTH_PW as your password."; } ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] HTTP Authentication w/IIS
OK, I loaded PHP with the ISAPI filter, but still no luck with authentication.. Here's the basic script that works on Apache/Linux: