Allow retry on HTTP authentication?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kenquad
Forum Newbie
Posts: 2
Joined: Tue Oct 06, 2009 12:46 pm

Allow retry on HTTP authentication?

Post by kenquad »

Hi all:

I have a single web page that needs to be password protected. I have implemented HTTP authentication with the following code:

Code: Select all

 
<?php
# include required database files
include('db_login.php');
require_once('DB.php');
 
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
header('WWW-Authenticate: Basic realm="Member Area"');
header("HTTP/1.0 401 Unauthorized");
echo "You must enter a username and password combination!";
exit;
}
 
$web_username = $_SERVER['PHP_AUTH_USER'];
$web_password = $_SERVER['PHP_AUTH_PW'];
$connection=DB::connect("mysql://$db_username:$db_password@$db_host/$db_database");
if (DB::isError($connection)){
    die("Could not connect to database. Please try again later.");
    }
$user_query = "SELECT `id`, `username` FROM `ppp_users` WHERE `username` = '".$web_username."' AND `password` = '".$web_password."' LIMIT 1";
$user_result = $connection->query($user_query);
if (DB::iserror($search_query)) {
  die($user_query->getMessage( ));
}
if (!$row = $user_result->fetchRow(DB_FETCHMODE_ASSOC)) {
header('WWW-Authenticate: Basic realm="Member Area"');
header("HTTP/1.0 401 Unauthorized");
echo "Your username and password combination was incorrect.  Please try again.";
exit;
}
?>
 
This works, as far as accepting valid users and rejecting invalid ones. The problem is, when a wrong username or password is entered, the error message comes up, stays up, the login form is not re-displayed, and in fact there is no way to retry except to close and reopen the browser. This is likely to make several users mad.

Does anybody know what I could add to this script to cause it to automatically re-prompt for user and password after a bad entry, or at least provide a retry link? I would rather stay with HTTP authentication because it seems much simpler than session-based authentication, but I really don't know much about either. Thanks!
User avatar
chopsmith
Forum Commoner
Posts: 56
Joined: Thu Nov 13, 2008 10:40 am
Location: Red Bank, NJ, USA

Re: Allow retry on HTTP authentication?

Post by chopsmith »

have you tried the below?

Code: Select all

 
header("Location:  login.php"); //assuming your login form is at login.php
 
kenquad
Forum Newbie
Posts: 2
Joined: Tue Oct 06, 2009 12:46 pm

Re: Allow retry on HTTP authentication?

Post by kenquad »

Thanks, I had not tried that. However, in the meantime I came up with something much simpler, eliminating the database connection (I only need 1 set of login credentials) and achieving the loop desired:

Code: Select all

 
<?php
#Specify username and password for authentication
    $user = 'user';
    $pass = 'password';
 
#Define a function to generate a 401 and prompt for login
function prompt() {
    header('WWW-Authenticate: Basic realm="Restricted Data"');
    header("HTTP/1.0 401 Unauthorized");
    exit;
    }
 
    # If the user is not already logged in, call the prompt function
    if (!isset($_SERVER['PHP_AUTH_USER'])) {
    prompt();
    }
    #Check to see if the username and password are correct
    else if (($_SERVER['PHP_AUTH_USER'] == $user) && ($_SERVER['PHP_AUTH_PW'] == $pass))
    {
    #If they are, don't do anything, just load the page
    }
 
    #If credentials are not correct, call the prompt() function again
    else
    {
    prompt();
    }
?>
 
Post Reply