| Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178352 is a reply to message #178350] |
Sun, 10 June 2012 22:17   |
Robert Rosenberg
Messages: 6
Registered: May 2012
Karma:
|
Junior Member |
|
|
On 06/10/2012 16:52, in article jr31fc$htu$1(at)dont-email(dot)me, "Jerry Stuckle"
<jstucklex(at)attglobal(dot)net> wrote:
> On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
>> Per the samples I have seen in manuals and on the php,net site I store the
>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>> section.
>>
>> I test the supplied UserID and Password to see if they are a valid pair. My
>> problem is that when they are not (right now I have a hard coded pair to use
>> in my testing) I issue an error message and have the user try again (by
>> having the page relaunched via a link). The problem is that the IF sees that
>> the UserID is already set (to the bad value) and thus will not reissue the
>> login menu. How do I invalidate the stored value so that the IF will return
>> TRUE and thus cause the menu to be issued? I tried adding a
>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>> error routine (with the link) I still do not get the the menu.
>>
>> Please Help.
>>
>> Thank you.
>>
>
> These values are set by the server. You can change them, but only for
> the currently running script.
>
> So, you need another way of doing it. One way is to set a value in the
> $_SESSION array to something when the user is logged in, and test it
> instead. Once you get a correct userid and password, set this value.
> If the value isn't set, display the login page. Once it is set,
> continue on.
Thanks for your reply.
My code is:
if(!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<p>Please <a href="login7.php">Log In</a> and enter correct
UserID and Password.</p>';
exit;
}
I had already tried what you suggested by adding a
$_SERVER["bad-pair"]="TRUE; to the routine that issued the error message and
provided the return link as well as adding a || $_SERVER["bad-pair"] to the
if but it did not help. I guess I can also just pass a ?parm on my return
link and do a similar test ($_GET['parm']==value).
>
> BTW, I think most PHP programmers don't use the Apache userid/password.
> It's OK if you're using Apache authentication, but that's about it.
> The rest just put up a page with userid and password and handle it from
> there. It takes Apache out of the equation and gives you full control
> (i.e. you can put a "forgot password" link on the page, or a "register"
> link if they haven't registered yet).
I do plan to eventually use a custom login page but I am using this to get
my code worked out for testing. If I can not get it going, I guess I will
need to go the custom page route.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]