Page 1 of 1

HTTP authentication help

Posted: Wed Jan 19, 2005 11:37 am
by pthomas
allo,

I've been stuck on trying to get the HTTP authentication to work just right and have been on this for two days now. I've got the code up and running. It basically connects up to a mysql database to authenticate the users. What is working is that when a user first hits the webpage, they get a login box. If they login the first time successfully, they can access the page. However, if they don;t login correctly the first time, they are not given the option to retry. Refreshing the webpage does not let them login again.

I was trying to code it so that they could have 3 tries before getting the "error: bad username and pasword combination" message. But right now they either enter in their UN & PWD on the first try correctly, or they have to close and re-open their browser.

Any help is appreciated!

Thanks,
Paul

Code: Select all

<?php
/*
################
###	Note
################
   You must connect to the database before calling the authentication_test function!
   Its member functions require being connected to the database to get and compare
   username and passwords 
*/

/*Kicks off the testing to make sure that only an authenticated user gets in. The
  way this is currently setup the user gets 3 tries before they are forced to go
  to the error page.*/
function authentication_test()
&#123;
	$valid_user = false;					//Always assume user is invald
	$counter = 0;
		
	while ( (! $valid_user) && ($counter <= 3) )
	&#123;
		$user_name = $_SERVER&#1111;'PHP_AUTH_USER'];		//Get user name if entered
		$password = $_SERVER&#1111;'PHP_AUTH_PW'];		//Get password if entered
		if ( (! isset($user_name)) || (! isset($password)) )//if either are blank
		&#123;
			send_401_prompt();			//Send error to browser
		&#125;
		else
		&#123;
			if (is_valid($user_name, $password))	//Credentials checkout ok?
			&#123;
				$valid_user = true;
			&#125;
			else					//Bad credentials, send error
			&#123;
				send_401_prompt();		
			&#125;
		&#125;
		$counter++;
	&#125;
&#125;
/*This sends the "Error 401 bad authentication" type error to the browser. The
  browser is responsible for either giving the user another chance to enter in
  a user_name & password or letting them hit cancel and stop trying. If they enter
  in another username and password, then it will retry their credentials.*/
function send_401_prompt()
&#123;	//Send challenge response -> Dialog box for user_name and password
	header("WWW-Authenticate: Basic realm="Review Submissions"");
	header("HTTP/1.1 401 Unauthorized");
	
	//If the user hits the cancel button....
	//Setup the reponse displayed if user cancels the challenge
	echo "<h2>Access Denied!</h2>\n";
	echo "Bad user name and password combination.\n";
	exit;						//Stop running code
&#125;
/*This takes the user_name and password and looks for a match in the mySQL database.
  If a match is found, true is returned, otherwise return false.*/
function is_valid( &$user_name, &$password)
&#123;
	//So grab timmy's password....
	$result = mysql_query("SELECT Pwd FROM users WHERE Username = '$user_name'");
	
	$row = mysql_fetch_array($result, MYSQL_NUM);	//Grab password out of result set
	$password = md5(trim($password));		//Get rid of any whitespace and put password into md5 format
		//<debug>
	//echo "UN: $user_name<br />\n";
	//echo "PWD: $password<br />\n";	
		//</debug>
	if ($row&#1111;0] == $password)			//Do the passwords match?
		return true;
	else
		return false;
&#125;

?>

Posted: Wed Jan 19, 2005 11:58 am
by AGISB
This might be a browser problem. Some might not do it right.

Check the tutorial section. I have written a small tutorial on auhtentication. You might find some parts usefull.

Posted: Wed Jan 19, 2005 12:00 pm
by feyd
the way your code is laid out here, would do the auth request as long as they gave invalid credentials.. so I don't see anything that'd make it stop working after the first go.. I would imagine you are using a session to do that, which is not in the posted code.

Posted: Thu Jan 20, 2005 10:13 am
by pthomas
Ok, I tried it again today and it seems to work like it should. I must have not saved after I made changes or something.

Ummm... what do you mean by using a session?

Paul

Posted: Thu Jan 20, 2005 10:16 am
by feyd
I was guessing that the posted code wasn't/isn't all of the code involved, and that you were using a session to count the number of repeats, as trying to count inside the script doesn't work because the script is terminated after you call the header output stuff, thus resetting the counter on their next try.

Posted: Thu Jan 20, 2005 10:51 am
by pthomas
Nope, I have no idea how to use sessions like what you mention, although that sounds like the way I should go. I agree that the count var inside my script doesn't do squat, but at least I now know why!

I'm going to r ead up on "session handlers". Thanks for all the help!
Paul