RE: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
On 04-Mar-01 Ken wrote: Thanks for the idea, John. I know about the auth logout. Unfortunately, that means that when a user clicks "logout", he gets a "log in" prompt! And, in IE, he has to deliberately blank out the password field, THEN hit enter, THEN the prompt will come again, and he has to hit escape. snip Any suggestions? I'm still playing with this but ... My script handles the authentication against a MySQL table; and this might (probably) have to get tweaked to play well with .htaccess The logout script creates a "mark" (tmpfile, db entry, whatever) then redirects to a non-protected page. On entry to a protected script: function authuser($realm) { global $PHP_AUTH_USER, $PHP_AUTH_PW; if (isset($PHP_AUTH_USER)) { if (markset($PHP_AUTH_USER)) { markunset($PHP_AUTH_USER); // send a 401 to force re-authenticate Header('WWW-authenticate: basic realm="'.$realm .'"'); Header('HTTP/1.0 401 Unauthorized'); echo "\n\n"; echo 'META HTTP-EQUIV="Refresh" CONTENT="1; URL='.SITEHOME.'/"'; exit; } if (! (validlogin($PHP_AUTH_USER,$PHP_AUTH_PW, $realm))) { Header('WWW-authenticate: basic realm="'.$realm .'"'); Header('HTTP/1.0 401 Unauthorized'); echo 'META HTTP-EQUIV="Refresh" CONTENT="1; URL='.SITEHOME.'/"'; echo 'CENTERFailed LoginPInvalid name or password'; exit; } } return(true); } Regards, -- Don Read [EMAIL PROTECTED] -- If you are going to sin, sin against God, not the bureaucracy. God will forgive you but the bureaucrats won't. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
From: "Ken" [EMAIL PROTECTED] Why it's bad is that, if the user clicks "cancel", they are not logged out. They have to manually clear the field, THEN OK, then they get prompted AGAIN, THEN they hit cancel. That's nuts, and my users aren't going to understand that. Why do they need to be able to log out? If the user doesn't want their password saved (e.g. they're on a public PC) then they just uncheck the "Save password" box when logging in, and then they can close the browser and be "logged out". If they want their password saved then they can check the "Save password" box and not worry. It sounds to me like you're trying to implement something that no users are actually going to need or want... However, if you want more control over the authentication process I suggest making your own login form and using cookies, instead of HTTP authentication. Then you can log users out just by unsetting the cookie(s). Cheers Simon Garner -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
Nope, I'm working with a real client, who has multiple users on the same machine, and IE5.5 is installed on it, and, lo and behold, though the rest of the browsers work fine, IE5.5 has this awful bug. I don't have this session-terminating problem with IE 5.5 when using Apache and PHP locally on my Win95 computer. I'm also pretty sure it works fine when connected to a Linux/Apache/PHP server where I have some webspace. Question: Do you have the latest bunch of fixes and security updates for IE 5.5? I remember after I first installed 5.5 a couple of months ago, there were many megabytes of fixes, patches, security updates, etc. (There are probably many more since then.) Perhaps there's already a fix for the bug. Assuming you have an internet connection from each PC, go into IE 5.5, then select Tools-Windows Update. The MS website should auto-detect the fixes etc that you need and prompt you to install them. Mitch -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
However, if you want more control over the authentication process I suggest making your own login form and using cookies, instead of HTTP authentication. Then you can log users out just by unsetting the cookie(s). This is how I will wind up going, EXCEPT the users will be required to click "logout", since merely closing the browser, in IE5.5, does not seem to clear the user/password from the browser's memory, NOR does it clear any session cookie. Again, works fine in other browsers, per spec. I tried to read up on this thread before responding, so please excuse me if I don't know all the facts. Have you tried using PHP's sessions to track user logins? If cookies are available, it takes advantage of them. If not, a session tracking variable is automatically appended to the url. For my own web site, I register a session variable. For my situation, it happens to be an array, but you may not need this. if (! IsSet($user) ) { $user = array(); session_register("user"); $user["Username"] = "Guest"; } From there, present the visitor with a login form. Process the login form and set the $user["Username"] variable after you've confirmed their login. If you want them to log out, they click a link taking them to a page that sets the variable back to $user["Username"] = "Guest". Best of all, if they close their browser, the browser session is lost. That setup allows people to work at a computer, logout of the web site, and allow someone else to login. Or, they can just close the browser window and let someone else sit down to open a new browser window and login. There's one thing you'll want to keep in mind, in case you don't already know it. Each browser window you spawn from the original uses the same session. If you login and then press CTRL-N to open additional windows, they will all use the same session. Of course, the way around this is to just run separate copies of the program to gain additional windows. Another thing of note, in case it will help, I'm using IE5.5 and don't experience the problems you've described. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: IE 5.5,authentication,PHP sessions: IE never stops
On 05-Mar-01 Ken wrote: At 04:11 PM 3/5/01 +1300, Simon Garner wrote: From: "Ken" [EMAIL PROTECTED] Why it's bad is that, if the user clicks "cancel", they are not logged out. They have to manually clear the field, THEN OK, then they get prompted AGAIN, THEN they hit cancel. That's nuts, and my users aren't going to understand that. Why do they need to be able to log out? Because they are on a shared computer. If the user doesn't want their password saved (e.g. they're on a public PC) then they just uncheck the "Save password" box when logging in, and then they can close the browser and be "logged out". If they want their password saved then they can check the "Save password" box and not worry. Nope - with IE5.5, even with that box NOT checked, the user remains logged in until either a) the computer is restarted, or b) a new user-authentication header is sent, AND the user clears out the password field and hits OK. Otherwise the user stays logged in, in spite of the HTTP spec. It sounds to me like you're trying to implement something that no users are actually going to need or want... Nope, I'm working with a real client, who has multiple users on the same machine, and IE5.5 is installed on it, and, lo and behold, though the rest of the browsers work fine, IE5.5 has this awful bug. However, if you want more control over the authentication process I suggest making your own login form and using cookies, instead of HTTP authentication. Then you can log users out just by unsetting the cookie(s). This is how I will wind up going, EXCEPT the users will be required to click "logout", since merely closing the browser, in IE5.5, does not seem to clear the user/password from the browser's memory, NOR does it clear any session cookie. Again, works fine in other browsers, per spec. Is this a NT-Domain network ? It's been a few years since i was sysadmining, but the user might have to log off the network domain/workgroup to re-select the credential file (luser.pwl file or whatever Bill the boys from Redmond call it now). But i'll agree that if IE keeps the authentication after you close the browser, it _is_ borken. Regards, -- Don Read [EMAIL PROTECTED] -- If you are going to sin, sin against God, not the bureaucracy. God will forgive you but the bureaucrats won't. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]