| Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178357 is a reply to message #178353] |
Mon, 11 June 2012 07:36  |
M. Strobel
Messages: 386
Registered: December 2011
Karma:
|
Senior Member |
|
|
Am 11.06.2012 00:25, schrieb Robert Rosenberg:
> On 06/10/2012 16:54, in article jr31hi$igf$1(at)dont-email(dot)me, "Richard Damon"
> <news(dot)x(dot)richarddamon(at)xoxy(dot)net> wrote:
>
>> On 6/10/12 4:14 PM, Robert Rosenberg wrote:
>>> Per the samples I have seen in manuals and on the php,net site I store the
>>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>>> section.
>>>
>>> I test the supplied UserID and Password to see if they are a valid pair. My
>>> problem is that when they are not (right now I have a hard coded pair to use
>>> in my testing) I issue an error message and have the user try again (by
>>> having the page relaunched via a link). The problem is that the IF sees that
>>> the UserID is already set (to the bad value) and thus will not reissue the
>>> login menu. How do I invalidate the stored value so that the IF will return
>>> TRUE and thus cause the menu to be issued? I tried adding a
>>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>>> error routine (with the link) I still do not get the the menu.
>>>
>>> Please Help.
>>>
>>> Thank you.
>>>
>>
>> The issue is you need to tell the browser that the log in information is
>> incorrect, which you can do by sending a header with a 401 Not
>> Authorized error code. This should trigger the browser to pop up the
>> login box. You are probably doing this for no UserId, you also need to
>> do it for a wrong user ID.
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please <a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> } else {
>
> If (check for not good pair) {
> echo an error message and supply a retry link
> } else {
> Good Pair routine
> } // end of pair check
>
> } // end of menu code
>
>
> Thus the 401 I there but will not be sent due to the IF !isset. Are you
> saying that I need to just send the header from my bad pair routine? I can
> not see anyway to delay the header so I can display a BAD PAIR error message
> and only have them attempt again after using a link back to the PHP page.
> Issuing the header without an error message just causes the menu to
> immediately get displayed without any warning of the bad input (ie: You
> reply get the box back).
>
> While I plan to replace this test with a real custom login page before going
> live, I am using this as a short cut while I work on other areas of my code
> (as well as learning how to use this function).
>
You probably did not understand what JS said to authentication.
Typically you would use web server authentication
(http://httpd.apache.org/docs/2.0/howto/auth.html) without coding in PHP.
You can have code for it in PHP, but you would not, because basic authentication is
sort of ... basic, or ridiculous, because user name and password are sent for every
request.
This is a typical test setup: basic authentication, the web server handles it, and
your code does not care. Then you implement your own login functions in PHP, key to
understanding it are the session features (http://de.php.net/manual/en/ref.session.php).
When your site goes public, you remove the web server authentication.
/Str.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]