php http authentication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jaandrws
Forum Newbie
Posts: 9
Joined: Sat Mar 31, 2007 8:13 pm

php http authentication

Post by jaandrws »

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


The following code continues to ask for authentication even if I enter the right username (foo) and password (bar). What am I doing wrong?

Code: Select all

 
<?
if ( $auth != 1 ) {  //if the user isn't authenticated
 
header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}
 
 
$auth = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $auth = 1; //If all is well, consider the user authenticated
 
 
?>

Code: Select all

<html>
<head>
 
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>test</title>
 
</head>
<body>
<p>You must have entered the right password.</p>
</body>
</html>

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.
lepad
Forum Newbie
Posts: 12
Joined: Fri Oct 05, 2007 9:58 am

Re: php http authentication

Post by lepad »

try

Code: Select all

$_SERVER['PHP_AUTH_USER']
instead of

Code: Select all

$PHP_AUTH_USER
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: php http authentication

Post by pickle »

The problem is that on each page load, you're checking the value of $auth & deciding whether to show the prompt, before you're checking the credentials. Your best bet is to store $auth in a session, so you can set it in one page load & still have it set in following page loads.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jaandrws
Forum Newbie
Posts: 9
Joined: Sat Mar 31, 2007 8:13 pm

Re: php http authentication

Post by jaandrws »

I changed the 1 line to read:

if (($_SERVER['PHP_AUTH_USER'] == "foo" ) && ($_SERVER['PHP_AUTH_PW'] == "bar" )) $auth = 1; //If all is well, consider the user authenticated


but no change in behavior. It still continues to request authentication.
jaandrws
Forum Newbie
Posts: 9
Joined: Sat Mar 31, 2007 8:13 pm

Re: php http authentication

Post by jaandrws »

I'm afraid I have no experience with sessions. I was given this code as a way of having to avoid sessions and cookies. Is the method invalid?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: php http authentication

Post by pickle »

Which method? Using sessions or your method? What do you mean by "valid".

To institute sessions, simply call session_start() at the beginning of your script, then wherever you reference $auth, reference $_SESSION['auth'] instead.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jaandrws
Forum Newbie
Posts: 9
Joined: Sat Mar 31, 2007 8:13 pm

Re: php http authentication

Post by jaandrws »

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


I meant was my method (the method I was trying) not a workable approach? If not, its disappointing because I found the code practically word for word from a tutorial on phpfreaks.com. But let's address your solution. Would the following be the correct implementation of your idea?

Code: Select all

 
session_start()
 
if ( $_SESSION['auth'] != 1 ) {  //if the user isn't authenticated
 
header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}
 
 
$_SESSION['auth'] = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $_SESSION['auth'] = 1; //If all is well, consider the user authenticated
 
~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.
jaandrws
Forum Newbie
Posts: 9
Joined: Sat Mar 31, 2007 8:13 pm

Re: php http authentication

Post by jaandrws »

I must have done something wrong because I got an error on line 4:

Parse error: parse error, unexpected T_IF in /home/.sites/110/site133/web/indexit.php on line 4
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: php http authentication

Post by pickle »

- You're missing a semi-colon after session_start();
- Ya, that'll probably work.
- Start wrapping your PHP code in tags like I've been saying in your previous posts.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jaandrws
Forum Newbie
Posts: 9
Joined: Sat Mar 31, 2007 8:13 pm

Re: php http authentication

Post by jaandrws »

I'm afraid it has the same behavior. It continues to prompt for authentication. Sorry about the code quoting thing.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Re: php http authentication

Post by Zoxive »

jaandrws wrote:I'm afraid it has the same behavior. It continues to prompt for authentication. Sorry about the code quoting thing.
The check for the username password need to be above the die method. The code is never getting to set the sessions be cause the if statement is true every page load.

Code: Select all

session_start();
 
if (($$_SERVER['PHP_AUTH_USER'] == "foo" ) && ($$_SERVER['PHP_AUTH_PW'] == "bar" )) $_SESSION['auth'] = 1; //If all is well, consider the user authenticated
 
if ( empty($_SESSION['auth']) ) {  //if the user isn't authenticated
  header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
  header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
  echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
  exit; //this makes the script exit, and the user session ends. No script for you!
}

Should work.
Post Reply