Authorisation Challenge

Hi

I have been struggling with this problem for quite some time now. If anyone can help I would be extremely grateful.

Scenario:
User log on. The username and password are passed from the PHP_AUTH_* variables to the database.

Requirement:
Cancel - the user is redirected to a defualt page.

Valid Username/Pass - User goes into page

Invalid Username/Pass - display error page with go to default page or try to login again.

I have got the first two parts sorted no problem. Its the third part which I have a problem with. I get the error page displayed but trying to get some new details sent across again when they try to log in I can't figure out.

The second solution and perhaps the easier is to have the username and password on the page as html form elements. The only problem is that I can not assign a value to the PHP_AUTH_* variables that will be availale across all pages until that user logs out.

Is there a special way of assigning values to PHP_AUTH_* variables. I can assign values to them but when the page is refreshed or changed then they loose these values. Can I create a similar sort of variable which I can manipulate is this way.

Please can anyone devise a solution to either of these problems, I would be so so appreciative.

Thanks in advance.

Falcon.

[This message has been edited by falcon (edited February 16, 2000).]

Hmm well then use this hope it helps ya:

if ($PHP_AUTH_USER)
{
$query="SELECT * FROM userinformation WHERE login_name='".$PHP_AUTH_USER."'";
$this->db_connect();
$res=mysql_query($query);
if (mysql_num_rows($res))
{
$row=mysql_fetch_array($res);
if ($row[login_pwd]==$PHP_AUTH_PWD)
{
$this->db_close(); // User provided correct password
return;
}
}
$this->db_close();
}
Header('WWW-Authenticate: Basic realm="Workstation-Login');
Header("HTTP/1.0 401 Unauthorized");
$this->login_abort(); // User pressed chancel
}

It is not a solution I would use cause the password is not crypted but this is only a few lines more to get it and I tried to keep it simple. If u have further questions about this or it does not fits ya needs drop me a note

Thanks for your response F.Schaper. I tried your code but it is not much different from what I have already coded.

The password protection is not a problem, this will done across SSL.

I have included the code so far that I have been working on. I hope that you will be able to help me further.

<?
function kickUp() {
Header( "HTTP/1.0 401 Unauthorized");
}

function authenticate() {
Header( "WWW-authenticate: basic realm="$SID"");
Header( "HTTP/1.0 401 Unauthorized");
}

function displayCancelation() {
echo "<html><head><title></title>";
echo "<meta http-equiv=refresh content="0;";
echo "url=http://www.site.com">";
echo "</head><body></body></html>";
}

function displayWrongLogin($basename) {
echo "<html><head><title>Login Error</title>";
echo "<link rel=stylesheet type="text/css"";
echo "href="page_style.css">";
echo "</head><body bgcolor="#ffffff">";
echo "<p align="center">The Username/Password ";
echo "you entered was incorrect.</p>";
echo "<p align="center"><a href="".$basename;
echo "">Login Again</a> | <a href="";
echo "http://www.site.com">";
echo "Return to Home Page</a></p>";

echo "<p><form method="post" action="".$basename."">";
echo "<input type="hidden" name="re_login" value="yes">";
echo "<input type="submit" value="Login"></form></p>";

echo "</body></html>";
}

// PROBLEM LIES SOMEWHERE BETWEEN HERE //

if ($re_login != "yes") {
if (!isset($PHP_AUTH_USER)) {
authenticate();
unset($PHP_AUTH_USER);
displayCancelation();
exit;
} else {
$error = " ";
$conn = new DB_Connect($PHP_AUTH_USER,$PHP_AUTH_PW, $error);
if ($error == ERROR) {
unset($PHP_AUTH_USER);
displayWrongLogin(basename($PHP_SELF));
}
}
} elseif ($re_login == "yes") {
kickUp();
}

// AND HERE //

?>

I did have some code that worked the same without all the rubbish but I can not find that now. I have tried to highlight the section that I am trying to get to work.

Again thanks for any help.

Falcon

[This message has been edited by falcon (edited February 21, 2000).]

[This message has been edited by falcon (edited February 21, 2000).]

Yes .. the probles is that you cannot unset the $PHP_AUTH_USER .) this was my first try to. Trying to set a variable as re_login detector wouldn't help you either cause the page is reloaded (and you cannot post vaiables via POST or GET here) and the variable is lost.
The problem with your code is that you check for the $PHP_AUTH_USER and if it is NOT set you do your header sending. If the user relogins the $PHP_AUTH_USER alway's remains until he quits his browser ... Do the following:

a) Check $PHP_AUTH_USER & PWD agains your storred user
b) If this is false send HEADER()
and maybe store in MySQL a hint how
many times the user $PHP_AUTH_USER
tried to login to do something like
a max login .)
----
if user is true get him access

The snipet of code I send to you does exacly this and it works fine... guess for you to

If u have further questions drop me a note

Hi

if ($PHP_AUTH_USER) {
$conn = new DB_Connect($PHP_AUTH_USER, $PHP_AUTH_PW, $error);
if ($error == ERROR) {
---- Problem Starts ----
displayWrongLogin(basename($PHP_SELF)); // display wrong login/password
kickUp(); // unauthorized header
authenticate(); // display login again
exit;
---- Problem Ends ----
}
} else {
authenticate(); // authenticate user header
displayCancelation(); // user pressed chancel
exit; // stop here
}

OK, this isn't the same as the code you gave me but it has been adapted incorporate the functions available. DB_Connect makes the database connection and assigns a login status to the variable error. It will either return status ERROR or COMPLETE. The function kickUp(); is nothing more than the unauthorized header. The authorization(); sends authenticate and unauthorized.

Do I need to send unauth then auth and then unauth or just auth then unauth.

In your last message you said if the auth fails to send the header. Trouble in this code you only send the auth header if php_auth_user is NOT set. If login has failed then php_auth_user is set. As I discovered you can not unset php_auth_user. How then is the dialog box kicked up if the user auth has failed.

I am sorry if I am starting to sound thick its just I have been trying to get this to work for some time now and it would be nice to put it to one side and work on something new.

I am extremely appreciative of all your help.

Falcon

Why use HTTP auth at all? Just use a form login since you have SSL. Much more flexible since YOU control the entire process.

if ($PHP_AUTH_USER) {
$conn = new DB_Connect($PHP_AUTH_USER, $PHP_AUTH_PW, $error);
if ($error == ERROR) {
---- Problem Starts ----
displayWrongLogin(basename($PHP_SELF)); // display wrong login/password
//kickUp(); // unauthorized header
^^^^^^^^^^^^
Wrong with that huston

authenticate(); // display login again
^^^^^^^^^^^^^^^^^^^
_and_ this
after displaying text you cannot send a header *gg*

exit;
---- Problem Ends ----
}
} else {
authenticate(); // authenticate user header
displayCancelation(); // user pressed chancel
exit; // stop here
}

I will work out the code for you and send it in the next reply

The only problem with this snipet of code is that you are not really able
to display a sorry you have supplied the wrong login/password message.

have solved this with parsing the $query_message and doing a redirection
at the beginnig of the page ... trough this turns out to become more comlicated
that u might want this to become have choosen the simplest way.

but like u might have followed the readings any method of promting the user for login
and password might suit u well enought trough SSL

<?php

function send_header()
{
Header('WWW-Authenticate: Basic realm="'.$AUTH_REALM.'"');
Header("HTTP/1.0 401 Unauthorized");
}


$conn = new DB_Connect($PHP_AUTH_USER, $PHP_AUTH_PW, $error);
if (($error == ERROR) | | (!isset($PHP_AUTH_USER)))
{
send_header();

echo "Sorry you pressed chancel and you will have to reload the pagen";
}

echo "Yeah you are authenticatedn";

?>

F.Schaper:
Thanks for all your hard work, I didn't think it could be so simple. Unfortunetly it complains about the $conn = new DB_Connect. Error message being Headers already sent. I am not sure why it thinks the headers are already sent DB_Connect uses no headers.

Rod K:
I have considered using your suggestion, I even have the code ready. In my first message I was looking for a suggestion for a variable that would be available across all pages. In fact after all the hassle with http auth I would gladly use this method. If you do have a solution to either of these problems I would be extremely grateful.

Thanks

Falcon

Falcon,

What you need is to set up a session id. The id has to be unique. The best way I know of doing this is to use

$sessid=md5(uniqid($username));

You would, of course, do this after the user has successfully logged in. Then you pass $sessid from page to page using a cookie or GET or POST. Cookies can be great if the user has them enabled.

The other nice thing is that you can set an expiration time and compare the time the user last accessed a page with the current time. If it's past your expiration, they would need to log back in.

The flow would be something like this:

1) Log in
2) Verify username/pass (onfail goto 1)
3) Assign session id, store to table with current time

Then on each protected page:

1) Verify session id valid (onfail goto login)
2) Verify session not expired (onfail goto login)
3) Reset time in table to current time

Hi

For anyone interested F.Schaper is the main man. The small snippet of code in his last message worked perfectly. The problem stares you in the face, I don't know why I missed this for so long. The database outputs an error. It then tries to send the headers. This thus causing problems, surpress the php errors and problems go away.

Thanks to F.Schaper and Rod K, I only hope that I can help you out sometime.

Many thanks

Falcon