#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 1999
    Location
    UK
    Posts
    50
    Rep Power
    15
    Hi

    I have been struggling with this problem for quite some time now. If anyone can help I would be extremely grateful.

    Scenario:
    User log on. The username and password are passed from the PHP_AUTH_* variables to the database.

    Requirement:
    Cancel - the user is redirected to a defualt page.

    Valid Username/Pass - User goes into page

    Invalid Username/Pass - display error page with go to default page or try to login again.

    I have got the first two parts sorted no problem. Its the third part which I have a problem with. I get the error page displayed but trying to get some new details sent across again when they try to log in I can't figure out.

    The second solution and perhaps the easier is to have the username and password on the page as html form elements. The only problem is that I can not assign a value to the PHP_AUTH_* variables that will be availale across all pages until that user logs out.

    Is there a special way of assigning values to PHP_AUTH_* variables. I can assign values to them but when the page is refreshed or changed then they loose these values. Can I create a similar sort of variable which I can manipulate is this way.

    Please can anyone devise a solution to either of these problems, I would be so so appreciative.

    Thanks in advance.

    Falcon.

    [This message has been edited by falcon (edited February 16, 2000).]
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Location
    Bremen
    Posts
    11
    Rep Power
    0
    Hmm well then use this hope it helps ya:

    if ($PHP_AUTH_USER)
    {
    $query="SELECT * FROM userinformation WHERE login_name='".$PHP_AUTH_USER."'";
    $this->db_connect();
    $res=mysql_query($query);
    if (mysql_num_rows($res))
    {
    $row=mysql_fetch_array($res);
    if ($row[login_pwd]==$PHP_AUTH_PWD)
    {
    $this->db_close(); // User provided correct password
    return;
    }
    }
    $this->db_close();
    }
    Header('WWW-Authenticate: Basic realm="Workstation-Login');
    Header("HTTP/1.0 401 Unauthorized");
    $this->login_abort(); // User pressed chancel
    }

    It is not a solution I would use cause the password is not crypted but this is only a few lines more to get it and I tried to keep it simple. If u have further questions about this or it does not fits ya needs drop me a note

  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 1999
    Location
    UK
    Posts
    50
    Rep Power
    15
    Thanks for your response F.Schaper. I tried your code but it is not much different from what I have already coded.

    The password protection is not a problem, this will done across SSL.

    I have included the code so far that I have been working on. I hope that you will be able to help me further.

    <?
    function kickUp() {
    Header( "HTTP/1.0 401 Unauthorized");
    }

    function authenticate() {
    Header( "WWW-authenticate: basic realm="$SID"");
    Header( "HTTP/1.0 401 Unauthorized");
    }

    function displayCancelation() {
    echo "<html><head><title></title>";
    echo "<meta http-equiv=refresh content="0;";
    echo "url=http://www.site.com">";
    echo "</head><body></body></html>";
    }

    function displayWrongLogin($basename) {
    echo "<html><head><title>Login Error</title>";
    echo "<link rel=stylesheet type="text/css"";
    echo "href="page_style.css">";
    echo "</head><body bgcolor="#ffffff">";
    echo "<p align="center">The Username/Password ";
    echo "you entered was incorrect.</p>";
    echo "<p align="center"><a href="".$basename;
    echo "">Login Again</a> | <a href="";
    echo "http://www.site.com">";
    echo "Return to Home Page</a></p>";

    echo "<p><form method="post" action="".$basename."">";
    echo "<input type="hidden" name="re_login" value="yes">";
    echo "<input type="submit" value="Login"></form></p>";

    echo "</body></html>";
    }

    // PROBLEM LIES SOMEWHERE BETWEEN HERE //

    if ($re_login != "yes") {
    if (!isset($PHP_AUTH_USER)) {
    authenticate();
    unset($PHP_AUTH_USER);
    displayCancelation();
    exit;
    } else {
    $error = " ";
    $conn = new DB_Connect($PHP_AUTH_USER,$PHP_AUTH_PW, $error);
    if ($error == ERROR) {
    unset($PHP_AUTH_USER);
    displayWrongLogin(basename($PHP_SELF));
    }
    }
    } elseif ($re_login == "yes") {
    kickUp();
    }

    // AND HERE //

    ?>

    I did have some code that worked the same without all the rubbish but I can not find that now. I have tried to highlight the section that I am trying to get to work.

    Again thanks for any help.

    Falcon

    [This message has been edited by falcon (edited February 21, 2000).]

    [This message has been edited by falcon (edited February 21, 2000).]
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Location
    Bremen
    Posts
    11
    Rep Power
    0
    Yes .. the probles is that you cannot unset the $PHP_AUTH_USER .) this was my first try to. Trying to set a variable as re_login detector wouldn't help you either cause the page is reloaded (and you cannot post vaiables via POST or GET here) and the variable is lost.
    The problem with your code is that you check for the $PHP_AUTH_USER and if it is NOT set you do your header sending. If the user relogins the $PHP_AUTH_USER alway's remains until he quits his browser ... Do the following:

    a) Check $PHP_AUTH_USER & PWD agains your storred user
    b) If this is false send HEADER()
    and maybe store in MySQL a hint how
    many times the user $PHP_AUTH_USER
    tried to login to do something like
    a max login .)
    ----
    if user is true get him access

    The snipet of code I send to you does exacly this and it works fine... guess for you to

    If u have further questions drop me a note
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 1999
    Location
    UK
    Posts
    50
    Rep Power
    15
    Hi

    if ($PHP_AUTH_USER) {
    $conn = new DB_Connect($PHP_AUTH_USER, $PHP_AUTH_PW, $error);
    if ($error == ERROR) {
    ---- Problem Starts ----
    displayWrongLogin(basename($PHP_SELF)); // display wrong login/password
    kickUp(); // unauthorized header
    authenticate(); // display login again
    exit;
    ---- Problem Ends ----
    }
    } else {
    authenticate(); // authenticate user header
    displayCancelation(); // user pressed chancel
    exit; // stop here
    }

    OK, this isn't the same as the code you gave me but it has been adapted incorporate the functions available. DB_Connect makes the database connection and assigns a login status to the variable error. It will either return status ERROR or COMPLETE. The function kickUp(); is nothing more than the unauthorized header. The authorization(); sends authenticate and unauthorized.

    Do I need to send unauth then auth and then unauth or just auth then unauth.

    In your last message you said if the auth fails to send the header. Trouble in this code you only send the auth header if php_auth_user is NOT set. If login has failed then php_auth_user is set. As I discovered you can not unset php_auth_user. How then is the dialog box kicked up if the user auth has failed.

    I am sorry if I am starting to sound thick its just I have been trying to get this to work for some time now and it would be nice to put it to one side and work on something new.

    I am extremely appreciative of all your help.

    Falcon
  10. #6
  11. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Why use HTTP auth at all? Just use a form login since you have SSL. Much more flexible since YOU control the entire process.
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Location
    Bremen
    Posts
    11
    Rep Power
    0
    if ($PHP_AUTH_USER) {
    $conn = new DB_Connect($PHP_AUTH_USER, $PHP_AUTH_PW, $error);
    if ($error == ERROR) {
    ---- Problem Starts ----
    displayWrongLogin(basename($PHP_SELF)); // display wrong login/password
    //kickUp(); // unauthorized header
    ^^^^^^^^^^^^
    Wrong with that huston

    authenticate(); // display login again
    ^^^^^^^^^^^^^^^^^^^
    _and_ this
    after displaying text you cannot send a header *gg*

    exit;
    ---- Problem Ends ----
    }
    } else {
    authenticate(); // authenticate user header
    displayCancelation(); // user pressed chancel
    exit; // stop here
    }

    I will work out the code for you and send it in the next reply
  14. #8
  15. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Location
    Bremen
    Posts
    11
    Rep Power
    0
    The only problem with this snipet of code is that you are not really able
    to display a sorry you have supplied the wrong login/password message.

    have solved this with parsing the $query_message and doing a redirection
    at the beginnig of the page ... trough this turns out to become more comlicated
    that u might want this to become have choosen the simplest way.

    but like u might have followed the readings any method of promting the user for login
    and password might suit u well enought trough SSL

    <?php

    function send_header()
    {
    Header('WWW-Authenticate: Basic realm="'.$AUTH_REALM.'"');
    Header("HTTP/1.0 401 Unauthorized");
    }


    $conn = new DB_Connect($PHP_AUTH_USER, $PHP_AUTH_PW, $error);
    if (($error == ERROR) &#0124; &#0124; (!isset($PHP_AUTH_USER)))
    {
    send_header();

    echo "Sorry you pressed chancel and you will have to reload the pagen";
    }

    echo "Yeah you are authenticatedn";

    ?>
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 1999
    Location
    UK
    Posts
    50
    Rep Power
    15
    F.Schaper:
    Thanks for all your hard work, I didn't think it could be so simple. Unfortunetly it complains about the $conn = new DB_Connect. Error message being Headers already sent. I am not sure why it thinks the headers are already sent DB_Connect uses no headers.

    Rod K:
    I have considered using your suggestion, I even have the code ready. In my first message I was looking for a suggestion for a variable that would be available across all pages. In fact after all the hassle with http auth I would gladly use this method. If you do have a solution to either of these problems I would be extremely grateful.

    Thanks

    Falcon
  18. #10
  19. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Falcon,

    What you need is to set up a session id. The id has to be unique. The best way I know of doing this is to use

    $sessid=md5(uniqid($username));

    You would, of course, do this after the user has successfully logged in. Then you pass $sessid from page to page using a cookie or GET or POST. Cookies can be great if the user has them enabled.

    The other nice thing is that you can set an expiration time and compare the time the user last accessed a page with the current time. If it's past your expiration, they would need to log back in.

    The flow would be something like this:

    1) Log in
    2) Verify username/pass (onfail goto 1)
    3) Assign session id, store to table with current time

    Then on each protected page:

    1) Verify session id valid (onfail goto login)
    2) Verify session not expired (onfail goto login)
    3) Reset time in table to current time
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 1999
    Location
    UK
    Posts
    50
    Rep Power
    15
    Hi

    For anyone interested F.Schaper is the main man. The small snippet of code in his last message worked perfectly. The problem stares you in the face, I don't know why I missed this for so long. The database outputs an error. It then tries to send the headers. This thus causing problems, surpress the php errors and problems go away.

    Thanks to F.Schaper and Rod K, I only hope that I can help you out sometime.

    Many thanks

    Falcon

Similar Threads

  1. Fun challenge for you all!
    By URSLOWR in forum Dev Shed Lounge
    Replies: 34
    Last Post: December 26th, 2003, 04:42 AM
  2. Resize Iframe to Non-Origin Content - Concept & Challenge
    By jflowers in forum HTML Programming
    Replies: 1
    Last Post: December 15th, 2003, 11:48 AM
  3. WAP server challenge 4 us !!!
    By rohitit in forum Mobile Programming
    Replies: 0
    Last Post: July 31st, 2003, 08:11 AM
  4. string challenge
    By briefcase321 in forum PHP Development
    Replies: 2
    Last Post: November 4th, 2002, 02:34 PM
  5. The ultimate challenge ...
    By dwalker5832 in forum Dev Shed Lounge
    Replies: 1
    Last Post: August 20th, 2001, 07:22 PM

IMN logo majestic logo threadwatch logo seochat tools logo