Page 1 of 1

HTTP Authorization issues

Posted: Thu Oct 05, 2006 11:10 am
by ferrins
Burrito | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi everybody!!
Well, first thing's first I have to say hello to all people here since this is my first post, I've been getting into php during the last couple months, so I bet that I'll learn something from you all for sure. So, I just designed a very simple script trying to implement this HTTP authorization thing into my admin folder. And it works but with a very annoying problem, it pops up three times the login window and I can't figure out why. I've tried to do the same thing with an external function but keeps popping up 3 times the login window. 
So, let me show you this simple piece of code and probably all you can help me out. Thanks!!

Code: Select all

if (!isset($_SESSION['id_admin'])) {
   header('WWW-Authenticate: Basic realm="admin"');
   header('HTTP/1_0 401 Unauthorized');
   $nick=$_SERVER['PHP_AUTH_USER'];
   $passwd=$_SERVER['PHP_AUTH_PW'];
   $sql ="SELECT nick,passwd,id_admin FROM admin WHERE nick='$nick' AND passwd='$passwd'";
   $res=mysql_query($sql,$conn) or die(); 
   $row =mysql_fetch_array($res);
   if($row['nick']==$nick && $row['passwd']==$passwd){ 
   session_start();
   $_SESSION['id_admin']=$row['id_admin'];
   echo "<script>document.location.href='../admin/index.php'</script>";
   }else{
   echo "Unauthorized\n";
   }
   exit();
}
Are you still here? Well, thank you!


Burrito | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Fri Oct 13, 2006 1:20 pm
by kendall
Correct me if im wrong here guys but aint this a browser thing?

Kendall

Posted: Fri Oct 13, 2006 1:55 pm
by feyd
It popping up again is a browser thing, but the browser is responding to the HTTP 401 header. As long as a 401 is being sent, most browsers will continue to ask for login credentials.

Posted: Fri Oct 13, 2006 2:32 pm
by pickle
I think you need to call session_start() right at the top of the document. session_start() needs to be called before anything is sent to the browser - including headers.

Posted: Fri Oct 13, 2006 2:37 pm
by volka
pickle wrote:session_start() needs to be called before anything is sent to the browser - including headers.
yes and no. Unless session.use_cookies is set to false session_start() tries to send the session_id as cookie. A cookie is a http header. And http headers have to be sent before any data of the reponse document is sent.

but a) I don't wether clients should accept cookies after a 401 unauthorized
b) isset($_SESSION['id_admin']) must return false if session_start() hasn't been called before.
and c) the script is sending the 401 regardless of wether the following authorization is successful or not. I think that's what feyd meant.

Posted: Fri Oct 13, 2006 2:58 pm
by RobertGonzalez
Does the $_SESSION array have values if session_start() hasn't been called?

Posted: Fri Oct 13, 2006 3:01 pm
by volka
No, the array is filled when the session mechanism is started (session_start() or session.auto_start).

Posted: Fri Oct 13, 2006 4:07 pm
by RobertGonzalez
I think that is what pickle was talking about in his post. He is checking against a session var before calling session_start().

Posted: Mon Oct 16, 2006 10:51 am
by pickle
Everah wrote:I think that is what pickle was talking about in his post. He is checking against a session var before calling session_start().
Yep - that's it.