| Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178355 is a reply to message #178352] |
Sun, 10 June 2012 23:49   |
Scott Johnson
Messages: 196
Registered: January 2012
Karma:
|
Senior Member |
|
|
On 6/10/2012 3:17 PM, Robert Rosenberg wrote:
> On 06/10/2012 16:52, in article jr31fc$htu$1(at)dont-email(dot)me, "Jerry Stuckle"
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
>>> Per the samples I have seen in manuals and on the php,net site I store the
>>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>>> section.
>>>
>>> I test the supplied UserID and Password to see if they are a valid pair. My
>>> problem is that when they are not (right now I have a hard coded pair to use
>>> in my testing) I issue an error message and have the user try again (by
>>> having the page relaunched via a link). The problem is that the IF sees that
>>> the UserID is already set (to the bad value) and thus will not reissue the
>>> login menu. How do I invalidate the stored value so that the IF will return
>>> TRUE and thus cause the menu to be issued? I tried adding a
>>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>>> error routine (with the link) I still do not get the the menu.
>>>
>>> Please Help.
>>>
>>> Thank you.
>>>
>>
>> These values are set by the server. You can change them, but only for
>> the currently running script.
>>
>> So, you need another way of doing it. One way is to set a value in the
>> $_SESSION array to something when the user is logged in, and test it
>> instead. Once you get a correct userid and password, set this value.
>> If the value isn't set, display the login page. Once it is set,
>> continue on.
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please<a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> }
>
> I had already tried what you suggested by adding a
> $_SERVER["bad-pair"]="TRUE; to the routine that issued the error message and
> provided the return link as well as adding a || $_SERVER["bad-pair"] to the
> if but it did not help. I guess I can also just pass a ?parm on my return
> link and do a similar test ($_GET['parm']==value).
>
>>
>> BTW, I think most PHP programmers don't use the Apache userid/password.
>> It's OK if you're using Apache authentication, but that's about it.
>> The rest just put up a page with userid and password and handle it from
>> there. It takes Apache out of the equation and gives you full control
>> (i.e. you can put a "forgot password" link on the page, or a "register"
>> link if they haven't registered yet).
>
> I do plan to eventually use a custom login page but I am using this to get
> my code worked out for testing. If I can not get it going, I guess I will
> need to go the custom page route.
>
>
Hello Robert
Just my .02
You may want to decide which way you want to go on the user
authentication now because at times your script may rely on that data
and how its implemented, such as permissions and as Jerry mentioned user
registration.
Many time all the user registration data is loaded upon sign in and
carries thru the site for many other uses.
It is tempting to put off unfamiliar areas but may cause several hours
of recoding down the road.
Scotty
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]