| Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178356 is a reply to message #178352] |
Mon, 11 June 2012 00:41   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/10/2012 6:17 PM, Robert Rosenberg wrote:
> On 06/10/2012 16:52, in article jr31fc$htu$1(at)dont-email(dot)me, "Jerry Stuckle"
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
>>> Per the samples I have seen in manuals and on the php,net site I store the
>>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>>> section.
>>>
>>> I test the supplied UserID and Password to see if they are a valid pair. My
>>> problem is that when they are not (right now I have a hard coded pair to use
>>> in my testing) I issue an error message and have the user try again (by
>>> having the page relaunched via a link). The problem is that the IF sees that
>>> the UserID is already set (to the bad value) and thus will not reissue the
>>> login menu. How do I invalidate the stored value so that the IF will return
>>> TRUE and thus cause the menu to be issued? I tried adding a
>>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>>> error routine (with the link) I still do not get the the menu.
>>>
>>> Please Help.
>>>
>>> Thank you.
>>>
>>
>> These values are set by the server. You can change them, but only for
>> the currently running script.
>>
>> So, you need another way of doing it. One way is to set a value in the
>> $_SESSION array to something when the user is logged in, and test it
>> instead. Once you get a correct userid and password, set this value.
>> If the value isn't set, display the login page. Once it is set,
>> continue on.
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please<a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> }
>
> I had already tried what you suggested by adding a
> $_SERVER["bad-pair"]="TRUE; to the routine that issued the error message and
> provided the return link as well as adding a || $_SERVER["bad-pair"] to the
> if but it did not help. I guess I can also just pass a ?parm on my return
> link and do a similar test ($_GET['parm']==value).
>
>>
>> BTW, I think most PHP programmers don't use the Apache userid/password.
>> It's OK if you're using Apache authentication, but that's about it.
>> The rest just put up a page with userid and password and handle it from
>> there. It takes Apache out of the equation and gives you full control
>> (i.e. you can put a "forgot password" link on the page, or a "register"
>> link if they haven't registered yet).
>
> I do plan to eventually use a custom login page but I am using this to get
> my code worked out for testing. If I can not get it going, I guess I will
> need to go the custom page route.
>
>
No, I said $_SESSION, not $_SERVER. You cannot set values in the
$_SERVER array and have them continue across requests. This array is
set by the server fresh every time a PHP script is initiated, and
destroyed at the end of the script.
And if you're going to get a custom login, the time to do it is now -
not later, when you have to change a lot of code.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]