Re: [PHP] $PHP_AUTH_USER question...
On Fri, 6 Jun 2003 11:36:51 +0100, [EMAIL PROTECTED] wrote: >How can I get that to talk to $PHP_AUTH_USER? I'm not sure this is exactly what you want (actually, I'm pretty sure this is coming at it from the opposite end), but here is a way I used it for a very simple / low security situation. I set up the index.php to check for $_SERVER["PHP_AUTH_USER"] (actually, I started out just using $PHP_AUTH_USER with RegisterGlobals on, but I figured out that it could be inserted via the get method and totally defeat my "security") where I wanted to add links that only administrators have access to. I also check for it at the top of the admin only modules. This way a normal user might see a list of items with "Details" buttons next to them, but admins would see those buttons and "Edit" buttons. Edit would also check to see if the variable was set. At the bottom of the main page I have a link to login.php. This is simply a redirect back the index.php but I have that file listed in the .htaccess file as password protected. Once the login.php file has been password checked, all of the programs from that directory down inherit the $_SERVER["PHP_AUTH_USER"] value. Here is the .htaccess file I used: AuthType Basic AuthUserFile /www/sbudir/.htpasswd AuthName MyAuthName Require valid-user Here is the login.php file http://www.mydomain.com/subdir/";); ?> And in my index.php I have lines similar to the following: Details Edit"; } ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
- Original Message - From: "Liam MacKenzie" <[EMAIL PROTECTED]> To: "Hendråwan Rinäldi" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, August 30, 2002 4:49 PM Subject: Re: [PHP] PHP_AUTH_USER > I'm afraid you're going to have to be more specific than that my friend. > every body or my buddy Liam MacKenzie can help me?? this is the script what is the code for log out? thankss : Contact the webmaster Username and Password are required to view this page. Contact the webmaster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
Yes, Matt, you were right about tracking the authorized state with a session. I actually thought about same thing: keeping a variable somewhere which will help to decide whether to send those "Authenticate" headers or not - just didn't realize you meant the same thing. :) And a little excerpt from w3.org proving the point: "HTTP Authentication has the addition problem that there is no mechanism available to the server to cause the browser to 'logout'; that is, to discard its stored credentials for the user. This presents a problem for any web application that may be used from a shared user agent. Requests for how to force 'logout' appear almost daily in the netnews html and cgi authoring groups, and are one of the most common support questions received by Agranat Systems from their customers developing embedded systems web interfaces." Cheers, Stas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP_AUTH_USER
> From: Stas Maximov [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 30, 2002 8:02 AM > To: Matt Schroebel > Cc: PHP General > Subject: Re: [PHP] PHP_AUTH_USER > > > > You can't log out of http authentication. Close the > browser is it. Not > very secure, eh. Use a session based login method > if you > need logout > function. > > Why not? Sending this to the client should do the job: > > header('WWW-Authenticate: Basic realm="My Realm"'); > header('HTTP/1.0 401 Unauthorized'); That doesn't work for me, at least in IE 6. It pops up a new login window. If you hit cancel, the browser still sends the prior authorization header to the server on the next request. If you change the realm on one page, when you go back to the other page, the browser will still have the other realms authorization header. Thinking as I type, perhaps you mean to store the realm, and change it to something else when they logout? Such that one never sees the same realm twice. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
> You can't log out of http authentication. Close the browser is it. Not very secure, eh. Use a session based login method > if you need logout function. Why not? Sending this to the client should do the job: header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); HTH, Stas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP_AUTH_USER
> From: Hendråwan Rinäldi [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 30, 2002 5:44 AM > Subject: [PHP] PHP_AUTH_USER > > anyone can help me what is the script for log out > > WWW-authenticate You can't log out of http authentication. Close the browser is it. Not very secure, eh. Use a session based login method if you need logout function. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
I'm afraid you're going to have to be more specific than that my friend. - Original Message - From: "Hendråwan Rinäldi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 30, 2002 7:43 PM Subject: [PHP] PHP_AUTH_USER anyone can help me what is the script for log out WWW-authenticate -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP_AUTH_USER
The information is stored in the $PHP_AUTH_USER variable but only appears to be accessible while you are viewing a page that is protected by that .htaccess file. To make it available to other pages I assigned $PHP_AUTH_USER to a session variable. :o) -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 10:48 AM To: Fifield, Mike Cc: [EMAIL PROTECTED] Subject: Re: [PHP] PHP_AUTH_USER And the solution was? remember, other people actually search the archives before they post, so giving the solution to your problem will help those people out. (Even if it was something simple) ---John Holmes... - Original Message - From: "Fifield, Mike" <[EMAIL PROTECTED]> To: "'1LT John W. Holmes'" <[EMAIL PROTECTED]>; "Fifield, Mike" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, June 04, 2002 12:19 PM Subject: RE: [PHP] PHP_AUTH_USER > Correction Redhat7 :-) Got it working thanks for all the help! > > -Original Message- > From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 04, 2002 9:36 AM > To: Fifield, Mike; [EMAIL PROTECTED] > Subject: Re: [PHP] PHP_AUTH_USER > > > I have a bunch of pages on my site inside an apache .htaccess protected > > directory. After visitors have logged in I am on part of my site I need to > > find out which user it is that has logged in. I thought this information > was > > stored in the $PHP_AUTH_USER variable, but when I print this variable it > is > > empty. Does anyone know of way to tell on apache 7 how to tell with php > who > > is logged in? > > PHP might not be very stable with apache 7... :) > > What version of PHP are you using? Try using the variable > $_SERVER['PHP_AUTH_USER'] or $HTTP_SERVER_VARS['PHP_AUTH_USER']. If it's not > in _SERVER, someone please correct me. > > ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
And the solution was? remember, other people actually search the archives before they post, so giving the solution to your problem will help those people out. (Even if it was something simple) ---John Holmes... - Original Message - From: "Fifield, Mike" <[EMAIL PROTECTED]> To: "'1LT John W. Holmes'" <[EMAIL PROTECTED]>; "Fifield, Mike" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, June 04, 2002 12:19 PM Subject: RE: [PHP] PHP_AUTH_USER > Correction Redhat7 :-) Got it working thanks for all the help! > > -Original Message- > From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 04, 2002 9:36 AM > To: Fifield, Mike; [EMAIL PROTECTED] > Subject: Re: [PHP] PHP_AUTH_USER > > > I have a bunch of pages on my site inside an apache .htaccess protected > > directory. After visitors have logged in I am on part of my site I need to > > find out which user it is that has logged in. I thought this information > was > > stored in the $PHP_AUTH_USER variable, but when I print this variable it > is > > empty. Does anyone know of way to tell on apache 7 how to tell with php > who > > is logged in? > > PHP might not be very stable with apache 7... :) > > What version of PHP are you using? Try using the variable > $_SERVER['PHP_AUTH_USER'] or $HTTP_SERVER_VARS['PHP_AUTH_USER']. If it's not > in _SERVER, someone please correct me. > > ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP_AUTH_USER
Correction Redhat7 :-) Got it working thanks for all the help! -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 9:36 AM To: Fifield, Mike; [EMAIL PROTECTED] Subject: Re: [PHP] PHP_AUTH_USER > I have a bunch of pages on my site inside an apache .htaccess protected > directory. After visitors have logged in I am on part of my site I need to > find out which user it is that has logged in. I thought this information was > stored in the $PHP_AUTH_USER variable, but when I print this variable it is > empty. Does anyone know of way to tell on apache 7 how to tell with php who > is logged in? PHP might not be very stable with apache 7... :) What version of PHP are you using? Try using the variable $_SERVER['PHP_AUTH_USER'] or $HTTP_SERVER_VARS['PHP_AUTH_USER']. If it's not in _SERVER, someone please correct me. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
> I have a bunch of pages on my site inside an apache .htaccess protected > directory. After visitors have logged in I am on part of my site I need to > find out which user it is that has logged in. I thought this information was > stored in the $PHP_AUTH_USER variable, but when I print this variable it is > empty. Does anyone know of way to tell on apache 7 how to tell with php who > is logged in? PHP might not be very stable with apache 7... :) What version of PHP are you using? Try using the variable $_SERVER['PHP_AUTH_USER'] or $HTTP_SERVER_VARS['PHP_AUTH_USER']. If it's not in _SERVER, someone please correct me. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
Set a Cookie then you can pull it out that way. PHP_Auth is based upon Cookies from what I was able to figure out. Chris - Original Message - From: "Fifield, Mike" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 04, 2002 9:59 AM Subject: [PHP] PHP_AUTH_USER > I have a bunch of pages on my site inside an apache .htaccess protected > directory. After visitors have logged in I am on part of my site I need to > find out which user it is that has logged in. I thought this information was > stored in the $PHP_AUTH_USER variable, but when I print this variable it is > empty. Does anyone know of way to tell on apache 7 how to tell with php who > is logged in? > > > Mike Fifield > Charles Schwab & Co, Inc. > WARNING: All e-mail sent to or from this address will be received by the > Charles Schwab corporate e-mail system and is subject to archival and review > by someone other than the recipient. > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP_AUTH_USER
>I have a bunch of pages on my site inside an apache .htaccess protected > directory. After visitors have logged in I am on part of my site I need to > find out which user it is that has logged in. I thought this > information was > stored in the $PHP_AUTH_USER variable, but when I print this you can use the REMOTE_USER server variable -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP_AUTH_USER
Hello: > I have a bunch of pages on my site inside an apache .htaccess protected > directory. After visitors have logged in I am on part of my site I need to > find out which user it is that has logged in. I thought this information was > stored in the $PHP_AUTH_USER variable, but when I print this variable it is > empty. Does anyone know of way to tell on apache 7 how to tell with php who > is logged in? AFAIK $PHP_AUTH_USER is used with SSL and certificates. You can use the visitor ip to know who is, but I think we need more information on what you want to do. Best Regards. QaDRAM Studio, RAD Development for the WEB http://studio.qadram.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $PHP_AUTH_USER
> I have trouble unseting the values of $PHP_AUTH_USER and > $PHP_AUTH_PW. I use > the WWW-Authenticate via header() to authorize the user when accessing the > page. But when the user logs out, values in $PHP_AUTH_USER and PW seem to > remain and the user isn't asked again to authorize till a new > browser window > is opened. I suppose that this problem should be solved by > sending a proper > header() to end the session ... but which one? Of course, I could be wrong > :-) ... I would appreciate if anyone could help me to solve this. Unfortunately I can't find my notes so I can't give you an exact answerhowever if I remember correctly by sending a 401 error header to the user when they log out it will force the browser to re-request authentication Sincerely, Craig Vincent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php