Page 1 of 1

Redirect after cancelled or invalid user authentication?

Posted: Fri Apr 02, 2004 6:37 am
by a_marko
Hi,

I would like to protect a few pages of a site and I am using the code snippet that is available from about a million sites for user authentication.

Code: Select all

<?php 
 if (!isset($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW']) or ($_SERVER['PHP_AUTH_PW'] != "test")) { 
   header('WWW-Authenticate: Basic realm="My Realm"'); 
   header('HTTP/1.0 401 Unauthorized'); 
   echo "Invalid password";
   exit; 
 }
?>
This displays the authentication popup, and I can either cancel or enter the password max. 3 times. If not successful the echo is printed on an otherwise blank page.

But in case of failed login I'd like to redirect the user back to home page or the page where they clicked the link that evoked user authentication. If I replace the echo with header, the user authentication will never be popped.

If I remove the password checking from the if clause and add the following...

Code: Select all

if ($_SERVER['PHP_AUTH_PW'] != "test") 
  { 
   header('location: http://www.myhome.com'); 
   exit;
  }
... I'll get some strange behaviour. If I insert correct password, it works. If I cancel, I get the echo which is also OK. If I give incorrect credentials (once!), I get redirected to the home page BUT if I then click the link again, I get the protected pages immediately. I wonder why?

So I'm not getting any error messages, it's just that I don't understand the logic or code flow of PHP.

As an additional question, is there some way of inserting a message like 'Username/password was incorrect.' to the authentication popup in case invalid credentials are entered? That isn't really critical, as it should be self-evident that the creadentials were invalid when the authentication window pops for the second and third times, but it would at least offer a more 'explanatory UI'.

Thanks,
Marko

Posted: Fri Apr 02, 2004 7:01 am
by mudkicker

Code: Select all

<?php 
if (!isset($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW']) or ($_SERVER['PHP_AUTH_PW'] != "test")) { 
   header('location: http://www.myhome.com');
   echo "Invalid password"; 
   exit; 
}
try this? what does it return?

Posted: Fri Apr 02, 2004 7:13 am
by twigletmac
You can also adjust the 401 error page (these can be customised just as 404 error pages can).

Mac

Re: Redirect after cancelled or invalid user authentication?

Posted: Fri Apr 02, 2004 10:00 am
by pickle

Code: Select all

<?php 
 if (!isset($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW'])) { 
   header('WWW-Authenticate: Basic realm="My Realm"'); 
   header('HTTP/1.0 401 Unauthorized'); 
   echo "Invalid password";
   exit; 
 }
 else
 {
    //somehow validate the username and password
    if($valid_credentials)
    {
        //goto one page
    }
    else
    {
        //bad credentials, go to the other page
    }
}
?>
a_marko wrote: As an additional question, is there some way of inserting a message like 'Username/password was incorrect.' to the authentication popup in case invalid credentials are entered?
The line you want to change is:

Code: Select all

header('WWW-Authenticate: Basic realm="My Realm"');
As you probably know, "My Realm" is what pops up in the box, so just change that as you want. I would think you'd have to do some username/password authentication before the box even pops up.


(If you know how to do it though, ~twigletmac's solution sounds easiest)

Re: Redirect after cancelled or invalid user authentication?

Posted: Mon Apr 05, 2004 3:26 am
by a_marko
Hi Pickle and Twigletmac,

I tried both of your suggestions but to no avail.

If I take use pickles code exactly, the user is prompted for the id/pw only once (!), and after failing, I guess PHP_USER_AUTH and PHP_USER_PW are set and the user is bounced immediately back to the index page and never gets a chance to authenticate again. I also tried to unset the PHP_USER_AUTH and PHP_USER_PW variables in case of invalid password, but that again had no effect.

If I add a test (if $_SERVER['PHP_USER_PW'] != "test") to the if clause, then the user can attempt the athentication three times, BUT after that it just prints Invalid password and the URL defined in the latter if-then-else is actually never evaluated.

And as for customizing the 401... I have ErrorDocument 401 /index.htm in my .htaccess but it makes no difference either. I can enter what ever gibberish as the URL, and still absolutely nothing happens. If, on the other hand, I enter some gibberish on a separate line before the ErrorDocument line, I get an error from Apache, so I am confident that the .htaccess file isn't ignored totally.

I've just finished a ~6000 line VB project in about two months, and now I'm totally unable to write a 10 line snippet to offer it to registered users via the net. It sucks or something.

- Marko

Posted: Mon Apr 05, 2004 4:40 am
by a_marko
Hi,

I experimented with .htaccess, but surprisingly I'm not getting very usable results.

I have the following .htaccess:

ErrorDocument 401 /index.htm

AuthUserFile e:\minixampp\.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require valid-user

I've placed this into a newly created directory called download and placed a download.htm there. So when I try to access this page, I get the login page. In case of bad credentials or cancel, the server won't go the home page, but instead starts loading index.htm but within the download directory, replacing all xxx.htm links with download/xxx.htm, popping the login screen numerous times etc. nice <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>. If I configure anything else as the 401 error page (e.g. ./index.htm, http://www.mysite.com or even an external link like http://www.hp.com) I get either the link printed on a blank screen, a 404 error or just nothing.

I am astonished by this as I am not trying to invent _anything_ myself, just use snippets and tips from the abundant amount of web pages discussing authentication.

- Marko