HTTP authentication help

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
pthomas
Forum Commoner
Posts: 68
Joined: Wed Jan 19, 2005 11:28 am
Location: Cincinnati, OH

HTTP authentication help

Post by pthomas »

allo,

I've been stuck on trying to get the HTTP authentication to work just right and have been on this for two days now. I've got the code up and running. It basically connects up to a mysql database to authenticate the users. What is working is that when a user first hits the webpage, they get a login box. If they login the first time successfully, they can access the page. However, if they don;t login correctly the first time, they are not given the option to retry. Refreshing the webpage does not let them login again.

I was trying to code it so that they could have 3 tries before getting the "error: bad username and pasword combination" message. But right now they either enter in their UN & PWD on the first try correctly, or they have to close and re-open their browser.

Any help is appreciated!

Thanks,
Paul

Code: Select all

<?php
/*
################
###	Note
################
   You must connect to the database before calling the authentication_test function!
   Its member functions require being connected to the database to get and compare
   username and passwords 
*/

/*Kicks off the testing to make sure that only an authenticated user gets in. The
  way this is currently setup the user gets 3 tries before they are forced to go
  to the error page.*/
function authentication_test()
&#123;
	$valid_user = false;					//Always assume user is invald
	$counter = 0;
		
	while ( (! $valid_user) && ($counter <= 3) )
	&#123;
		$user_name = $_SERVER&#1111;'PHP_AUTH_USER'];		//Get user name if entered
		$password = $_SERVER&#1111;'PHP_AUTH_PW'];		//Get password if entered
		if ( (! isset($user_name)) || (! isset($password)) )//if either are blank
		&#123;
			send_401_prompt();			//Send error to browser
		&#125;
		else
		&#123;
			if (is_valid($user_name, $password))	//Credentials checkout ok?
			&#123;
				$valid_user = true;
			&#125;
			else					//Bad credentials, send error
			&#123;
				send_401_prompt();		
			&#125;
		&#125;
		$counter++;
	&#125;
&#125;
/*This sends the "Error 401 bad authentication" type error to the browser. The
  browser is responsible for either giving the user another chance to enter in
  a user_name & password or letting them hit cancel and stop trying. If they enter
  in another username and password, then it will retry their credentials.*/
function send_401_prompt()
&#123;	//Send challenge response -> Dialog box for user_name and password
	header("WWW-Authenticate: Basic realm="Review Submissions"");
	header("HTTP/1.1 401 Unauthorized");
	
	//If the user hits the cancel button....
	//Setup the reponse displayed if user cancels the challenge
	echo "<h2>Access Denied!</h2>\n";
	echo "Bad user name and password combination.\n";
	exit;						//Stop running code
&#125;
/*This takes the user_name and password and looks for a match in the mySQL database.
  If a match is found, true is returned, otherwise return false.*/
function is_valid( &$user_name, &$password)
&#123;
	//So grab timmy's password....
	$result = mysql_query("SELECT Pwd FROM users WHERE Username = '$user_name'");
	
	$row = mysql_fetch_array($result, MYSQL_NUM);	//Grab password out of result set
	$password = md5(trim($password));		//Get rid of any whitespace and put password into md5 format
		//<debug>
	//echo "UN: $user_name<br />\n";
	//echo "PWD: $password<br />\n";	
		//</debug>
	if ($row&#1111;0] == $password)			//Do the passwords match?
		return true;
	else
		return false;
&#125;

?>
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

This might be a browser problem. Some might not do it right.

Check the tutorial section. I have written a small tutorial on auhtentication. You might find some parts usefull.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the way your code is laid out here, would do the auth request as long as they gave invalid credentials.. so I don't see anything that'd make it stop working after the first go.. I would imagine you are using a session to do that, which is not in the posted code.
User avatar
pthomas
Forum Commoner
Posts: 68
Joined: Wed Jan 19, 2005 11:28 am
Location: Cincinnati, OH

Post by pthomas »

Ok, I tried it again today and it seems to work like it should. I must have not saved after I made changes or something.

Ummm... what do you mean by using a session?

Paul
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I was guessing that the posted code wasn't/isn't all of the code involved, and that you were using a session to count the number of repeats, as trying to count inside the script doesn't work because the script is terminated after you call the header output stuff, thus resetting the counter on their next try.
User avatar
pthomas
Forum Commoner
Posts: 68
Joined: Wed Jan 19, 2005 11:28 am
Location: Cincinnati, OH

Post by pthomas »

Nope, I have no idea how to use sessions like what you mention, although that sounds like the way I should go. I agree that the count var inside my script doesn't do squat, but at least I now know why!

I'm going to r ead up on "session handlers". Thanks for all the help!
Paul
Post Reply