HTTP Authorization issues

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ferrins
Forum Newbie
Posts: 1
Joined: Thu Oct 05, 2006 11:03 am

HTTP Authorization issues

Post by ferrins »

Burrito | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi everybody!!
Well, first thing's first I have to say hello to all people here since this is my first post, I've been getting into php during the last couple months, so I bet that I'll learn something from you all for sure. So, I just designed a very simple script trying to implement this HTTP authorization thing into my admin folder. And it works but with a very annoying problem, it pops up three times the login window and I can't figure out why. I've tried to do the same thing with an external function but keeps popping up 3 times the login window. 
So, let me show you this simple piece of code and probably all you can help me out. Thanks!!

Code: Select all

if (!isset($_SESSION['id_admin'])) {
   header('WWW-Authenticate: Basic realm="admin"');
   header('HTTP/1_0 401 Unauthorized');
   $nick=$_SERVER['PHP_AUTH_USER'];
   $passwd=$_SERVER['PHP_AUTH_PW'];
   $sql ="SELECT nick,passwd,id_admin FROM admin WHERE nick='$nick' AND passwd='$passwd'";
   $res=mysql_query($sql,$conn) or die(); 
   $row =mysql_fetch_array($res);
   if($row['nick']==$nick && $row['passwd']==$passwd){ 
   session_start();
   $_SESSION['id_admin']=$row['id_admin'];
   echo "<script>document.location.href='../admin/index.php'</script>";
   }else{
   echo "Unauthorized\n";
   }
   exit();
}
Are you still here? Well, thank you!


Burrito | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Post by kendall »

Correct me if im wrong here guys but aint this a browser thing?

Kendall
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It popping up again is a browser thing, but the browser is responding to the HTTP 401 header. As long as a 401 is being sent, most browsers will continue to ask for login credentials.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

I think you need to call session_start() right at the top of the document. session_start() needs to be called before anything is sent to the browser - including headers.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

pickle wrote:session_start() needs to be called before anything is sent to the browser - including headers.
yes and no. Unless session.use_cookies is set to false session_start() tries to send the session_id as cookie. A cookie is a http header. And http headers have to be sent before any data of the reponse document is sent.

but a) I don't wether clients should accept cookies after a 401 unauthorized
b) isset($_SESSION['id_admin']) must return false if session_start() hasn't been called before.
and c) the script is sending the 401 regardless of wether the following authorization is successful or not. I think that's what feyd meant.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Does the $_SESSION array have values if session_start() hasn't been called?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

No, the array is filled when the session mechanism is started (session_start() or session.auto_start).
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think that is what pickle was talking about in his post. He is checking against a session var before calling session_start().
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Everah wrote:I think that is what pickle was talking about in his post. He is checking against a session var before calling session_start().
Yep - that's it.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply