Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178349] |
Sun, 10 June 2012 20:14 |
Robert Rosenberg
Messages: 6 Registered: May 2012
Karma: 0
|
Junior Member |
|
|
Per the samples I have seen in manuals and on the php,net site I store the
header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
section.
I test the supplied UserID and Password to see if they are a valid pair. My
problem is that when they are not (right now I have a hard coded pair to use
in my testing) I issue an error message and have the user try again (by
having the page relaunched via a link). The problem is that the IF sees that
the UserID is already set (to the bad value) and thus will not reissue the
login menu. How do I invalidate the stored value so that the IF will return
TRUE and thus cause the menu to be issued? I tried adding a
$_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
error routine (with the link) I still do not get the the menu.
Please Help.
Thank you.
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178350 is a reply to message #178349] |
Sun, 10 June 2012 20:52 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
> Per the samples I have seen in manuals and on the php,net site I store the
> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
> section.
>
> I test the supplied UserID and Password to see if they are a valid pair. My
> problem is that when they are not (right now I have a hard coded pair to use
> in my testing) I issue an error message and have the user try again (by
> having the page relaunched via a link). The problem is that the IF sees that
> the UserID is already set (to the bad value) and thus will not reissue the
> login menu. How do I invalidate the stored value so that the IF will return
> TRUE and thus cause the menu to be issued? I tried adding a
> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
> error routine (with the link) I still do not get the the menu.
>
> Please Help.
>
> Thank you.
>
These values are set by the server. You can change them, but only for
the currently running script.
So, you need another way of doing it. One way is to set a value in the
$_SESSION array to something when the user is logged in, and test it
instead. Once you get a correct userid and password, set this value.
If the value isn't set, display the login page. Once it is set,
continue on.
BTW, I think most PHP programmers don't use the Apache userid/password.
It's OK if you're using Apache authentication, but that's about it.
The rest just put up a page with userid and password and handle it from
there. It takes Apache out of the equation and gives you full control
(i.e. you can put a "forgot password" link on the page, or a "register"
link if they haven't registered yet).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178351 is a reply to message #178349] |
Sun, 10 June 2012 20:54 |
Richard Damon
Messages: 58 Registered: August 2011
Karma: 0
|
Member |
|
|
On 6/10/12 4:14 PM, Robert Rosenberg wrote:
> Per the samples I have seen in manuals and on the php,net site I store the
> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
> section.
>
> I test the supplied UserID and Password to see if they are a valid pair. My
> problem is that when they are not (right now I have a hard coded pair to use
> in my testing) I issue an error message and have the user try again (by
> having the page relaunched via a link). The problem is that the IF sees that
> the UserID is already set (to the bad value) and thus will not reissue the
> login menu. How do I invalidate the stored value so that the IF will return
> TRUE and thus cause the menu to be issued? I tried adding a
> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
> error routine (with the link) I still do not get the the menu.
>
> Please Help.
>
> Thank you.
>
The issue is you need to tell the browser that the log in information is
incorrect, which you can do by sending a header with a 401 Not
Authorized error code. This should trigger the browser to pop up the
login box. You are probably doing this for no UserId, you also need to
do it for a wrong user ID.
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178352 is a reply to message #178350] |
Sun, 10 June 2012 22:17 |
Robert Rosenberg
Messages: 6 Registered: May 2012
Karma: 0
|
Junior Member |
|
|
On 06/10/2012 16:52, in article jr31fc$htu$1(at)dont-email(dot)me, "Jerry Stuckle"
<jstucklex(at)attglobal(dot)net> wrote:
> On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
>> Per the samples I have seen in manuals and on the php,net site I store the
>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>> section.
>>
>> I test the supplied UserID and Password to see if they are a valid pair. My
>> problem is that when they are not (right now I have a hard coded pair to use
>> in my testing) I issue an error message and have the user try again (by
>> having the page relaunched via a link). The problem is that the IF sees that
>> the UserID is already set (to the bad value) and thus will not reissue the
>> login menu. How do I invalidate the stored value so that the IF will return
>> TRUE and thus cause the menu to be issued? I tried adding a
>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>> error routine (with the link) I still do not get the the menu.
>>
>> Please Help.
>>
>> Thank you.
>>
>
> These values are set by the server. You can change them, but only for
> the currently running script.
>
> So, you need another way of doing it. One way is to set a value in the
> $_SESSION array to something when the user is logged in, and test it
> instead. Once you get a correct userid and password, set this value.
> If the value isn't set, display the login page. Once it is set,
> continue on.
Thanks for your reply.
My code is:
if(!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<p>Please <a href="login7.php">Log In</a> and enter correct
UserID and Password.</p>';
exit;
}
I had already tried what you suggested by adding a
$_SERVER["bad-pair"]="TRUE; to the routine that issued the error message and
provided the return link as well as adding a || $_SERVER["bad-pair"] to the
if but it did not help. I guess I can also just pass a ?parm on my return
link and do a similar test ($_GET['parm']==value).
>
> BTW, I think most PHP programmers don't use the Apache userid/password.
> It's OK if you're using Apache authentication, but that's about it.
> The rest just put up a page with userid and password and handle it from
> there. It takes Apache out of the equation and gives you full control
> (i.e. you can put a "forgot password" link on the page, or a "register"
> link if they haven't registered yet).
I do plan to eventually use a custom login page but I am using this to get
my code worked out for testing. If I can not get it going, I guess I will
need to go the custom page route.
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178353 is a reply to message #178351] |
Sun, 10 June 2012 22:25 |
Robert Rosenberg
Messages: 6 Registered: May 2012
Karma: 0
|
Junior Member |
|
|
On 06/10/2012 16:54, in article jr31hi$igf$1(at)dont-email(dot)me, "Richard Damon"
<news(dot)x(dot)richarddamon(at)xoxy(dot)net> wrote:
> On 6/10/12 4:14 PM, Robert Rosenberg wrote:
>> Per the samples I have seen in manuals and on the php,net site I store the
>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>> section.
>>
>> I test the supplied UserID and Password to see if they are a valid pair. My
>> problem is that when they are not (right now I have a hard coded pair to use
>> in my testing) I issue an error message and have the user try again (by
>> having the page relaunched via a link). The problem is that the IF sees that
>> the UserID is already set (to the bad value) and thus will not reissue the
>> login menu. How do I invalidate the stored value so that the IF will return
>> TRUE and thus cause the menu to be issued? I tried adding a
>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>> error routine (with the link) I still do not get the the menu.
>>
>> Please Help.
>>
>> Thank you.
>>
>
> The issue is you need to tell the browser that the log in information is
> incorrect, which you can do by sending a header with a 401 Not
> Authorized error code. This should trigger the browser to pop up the
> login box. You are probably doing this for no UserId, you also need to
> do it for a wrong user ID.
Thanks for your reply.
My code is:
if(!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<p>Please <a href="login7.php">Log In</a> and enter correct
UserID and Password.</p>';
exit;
} else {
If (check for not good pair) {
echo an error message and supply a retry link
} else {
Good Pair routine
} // end of pair check
} // end of menu code
Thus the 401 I there but will not be sent due to the IF !isset. Are you
saying that I need to just send the header from my bad pair routine? I can
not see anyway to delay the header so I can display a BAD PAIR error message
and only have them attempt again after using a link back to the PHP page.
Issuing the header without an error message just causes the menu to
immediately get displayed without any warning of the bad input (ie: You
reply get the box back).
While I plan to replace this test with a real custom login page before going
live, I am using this as a short cut while I work on other areas of my code
(as well as learning how to use this function).
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178354 is a reply to message #178353] |
Sun, 10 June 2012 23:40 |
Richard Damon
Messages: 58 Registered: August 2011
Karma: 0
|
Member |
|
|
On 6/10/12 6:25 PM, Robert Rosenberg wrote:
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please <a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> } else {
>
> If (check for not good pair) {
> echo an error message and supply a retry link
> } else {
> Good Pair routine
> } // end of pair check
>
> } // end of menu code
>
>
> Thus the 401 I there but will not be sent due to the IF !isset. Are you
> saying that I need to just send the header from my bad pair routine? I can
> not see anyway to delay the header so I can display a BAD PAIR error message
> and only have them attempt again after using a link back to the PHP page.
> Issuing the header without an error message just causes the menu to
> immediately get displayed without any warning of the bad input (ie: You
> reply get the box back).
>
> While I plan to replace this test with a real custom login page before going
> live, I am using this as a short cut while I work on other areas of my code
> (as well as learning how to use this function).
>
If your page returns a successful page code (which it will if you don't
use a header to send the error code, then the browser will not ask the
user for a new username/password combination.
You can also send an error page, and if the user cancels the
authorization, they will see that error page.
One thing you could do is for the login page, issue the 401, and for
other pages the error page with the link to the login page.
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178355 is a reply to message #178352] |
Sun, 10 June 2012 23:49 |
Scott Johnson
Messages: 196 Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 6/10/2012 3:17 PM, Robert Rosenberg wrote:
> On 06/10/2012 16:52, in article jr31fc$htu$1(at)dont-email(dot)me, "Jerry Stuckle"
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
>>> Per the samples I have seen in manuals and on the php,net site I store the
>>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>>> section.
>>>
>>> I test the supplied UserID and Password to see if they are a valid pair. My
>>> problem is that when they are not (right now I have a hard coded pair to use
>>> in my testing) I issue an error message and have the user try again (by
>>> having the page relaunched via a link). The problem is that the IF sees that
>>> the UserID is already set (to the bad value) and thus will not reissue the
>>> login menu. How do I invalidate the stored value so that the IF will return
>>> TRUE and thus cause the menu to be issued? I tried adding a
>>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>>> error routine (with the link) I still do not get the the menu.
>>>
>>> Please Help.
>>>
>>> Thank you.
>>>
>>
>> These values are set by the server. You can change them, but only for
>> the currently running script.
>>
>> So, you need another way of doing it. One way is to set a value in the
>> $_SESSION array to something when the user is logged in, and test it
>> instead. Once you get a correct userid and password, set this value.
>> If the value isn't set, display the login page. Once it is set,
>> continue on.
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please<a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> }
>
> I had already tried what you suggested by adding a
> $_SERVER["bad-pair"]="TRUE; to the routine that issued the error message and
> provided the return link as well as adding a || $_SERVER["bad-pair"] to the
> if but it did not help. I guess I can also just pass a ?parm on my return
> link and do a similar test ($_GET['parm']==value).
>
>>
>> BTW, I think most PHP programmers don't use the Apache userid/password.
>> It's OK if you're using Apache authentication, but that's about it.
>> The rest just put up a page with userid and password and handle it from
>> there. It takes Apache out of the equation and gives you full control
>> (i.e. you can put a "forgot password" link on the page, or a "register"
>> link if they haven't registered yet).
>
> I do plan to eventually use a custom login page but I am using this to get
> my code worked out for testing. If I can not get it going, I guess I will
> need to go the custom page route.
>
>
Hello Robert
Just my .02
You may want to decide which way you want to go on the user
authentication now because at times your script may rely on that data
and how its implemented, such as permissions and as Jerry mentioned user
registration.
Many time all the user registration data is loaded upon sign in and
carries thru the site for many other uses.
It is tempting to put off unfamiliar areas but may cause several hours
of recoding down the road.
Scotty
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178356 is a reply to message #178352] |
Mon, 11 June 2012 00:41 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/10/2012 6:17 PM, Robert Rosenberg wrote:
> On 06/10/2012 16:52, in article jr31fc$htu$1(at)dont-email(dot)me, "Jerry Stuckle"
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/10/2012 4:14 PM, Robert Rosenberg wrote:
>>> Per the samples I have seen in manuals and on the php,net site I store the
>>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>>> section.
>>>
>>> I test the supplied UserID and Password to see if they are a valid pair. My
>>> problem is that when they are not (right now I have a hard coded pair to use
>>> in my testing) I issue an error message and have the user try again (by
>>> having the page relaunched via a link). The problem is that the IF sees that
>>> the UserID is already set (to the bad value) and thus will not reissue the
>>> login menu. How do I invalidate the stored value so that the IF will return
>>> TRUE and thus cause the menu to be issued? I tried adding a
>>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>>> error routine (with the link) I still do not get the the menu.
>>>
>>> Please Help.
>>>
>>> Thank you.
>>>
>>
>> These values are set by the server. You can change them, but only for
>> the currently running script.
>>
>> So, you need another way of doing it. One way is to set a value in the
>> $_SESSION array to something when the user is logged in, and test it
>> instead. Once you get a correct userid and password, set this value.
>> If the value isn't set, display the login page. Once it is set,
>> continue on.
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please<a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> }
>
> I had already tried what you suggested by adding a
> $_SERVER["bad-pair"]="TRUE; to the routine that issued the error message and
> provided the return link as well as adding a || $_SERVER["bad-pair"] to the
> if but it did not help. I guess I can also just pass a ?parm on my return
> link and do a similar test ($_GET['parm']==value).
>
>>
>> BTW, I think most PHP programmers don't use the Apache userid/password.
>> It's OK if you're using Apache authentication, but that's about it.
>> The rest just put up a page with userid and password and handle it from
>> there. It takes Apache out of the equation and gives you full control
>> (i.e. you can put a "forgot password" link on the page, or a "register"
>> link if they haven't registered yet).
>
> I do plan to eventually use a custom login page but I am using this to get
> my code worked out for testing. If I can not get it going, I guess I will
> need to go the custom page route.
>
>
No, I said $_SESSION, not $_SERVER. You cannot set values in the
$_SERVER array and have them continue across requests. This array is
set by the server fresh every time a PHP script is initiated, and
destroyed at the end of the script.
And if you're going to get a custom login, the time to do it is now -
not later, when you have to change a lot of code.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Query about WWW-Authenticate: Basic and bad UserID/Password recovery [message #178357 is a reply to message #178353] |
Mon, 11 June 2012 07:36 |
M. Strobel
Messages: 386 Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 11.06.2012 00:25, schrieb Robert Rosenberg:
> On 06/10/2012 16:54, in article jr31hi$igf$1(at)dont-email(dot)me, "Richard Damon"
> <news(dot)x(dot)richarddamon(at)xoxy(dot)net> wrote:
>
>> On 6/10/12 4:14 PM, Robert Rosenberg wrote:
>>> Per the samples I have seen in manuals and on the php,net site I store the
>>> header statements in a if(!isset($_SERVER['PHP_AUTH_USER'])) delineated
>>> section.
>>>
>>> I test the supplied UserID and Password to see if they are a valid pair. My
>>> problem is that when they are not (right now I have a hard coded pair to use
>>> in my testing) I issue an error message and have the user try again (by
>>> having the page relaunched via a link). The problem is that the IF sees that
>>> the UserID is already set (to the bad value) and thus will not reissue the
>>> login menu. How do I invalidate the stored value so that the IF will return
>>> TRUE and thus cause the menu to be issued? I tried adding a
>>> $_SERVER['PHP_AUTH_USER'])=""; or a unset($_SERVER['PHP_AUTH_USER']); in my
>>> error routine (with the link) I still do not get the the menu.
>>>
>>> Please Help.
>>>
>>> Thank you.
>>>
>>
>> The issue is you need to tell the browser that the log in information is
>> incorrect, which you can do by sending a header with a 401 Not
>> Authorized error code. This should trigger the browser to pop up the
>> login box. You are probably doing this for no UserId, you also need to
>> do it for a wrong user ID.
>
> Thanks for your reply.
>
> My code is:
>
> if(!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo '<p>Please <a href="login7.php">Log In</a> and enter correct
> UserID and Password.</p>';
> exit;
> } else {
>
> If (check for not good pair) {
> echo an error message and supply a retry link
> } else {
> Good Pair routine
> } // end of pair check
>
> } // end of menu code
>
>
> Thus the 401 I there but will not be sent due to the IF !isset. Are you
> saying that I need to just send the header from my bad pair routine? I can
> not see anyway to delay the header so I can display a BAD PAIR error message
> and only have them attempt again after using a link back to the PHP page.
> Issuing the header without an error message just causes the menu to
> immediately get displayed without any warning of the bad input (ie: You
> reply get the box back).
>
> While I plan to replace this test with a real custom login page before going
> live, I am using this as a short cut while I work on other areas of my code
> (as well as learning how to use this function).
>
You probably did not understand what JS said to authentication.
Typically you would use web server authentication
(http://httpd.apache.org/docs/2.0/howto/auth.html) without coding in PHP.
You can have code for it in PHP, but you would not, because basic authentication is
sort of ... basic, or ridiculous, because user name and password are sent for every
request.
This is a typical test setup: basic authentication, the web server handles it, and
your code does not care. Then you implement your own login functions in PHP, key to
understanding it are the session features (http://de.php.net/manual/en/ref.session.php).
When your site goes public, you remove the web server authentication.
/Str.
|
|
|