Page 1 of 1

php http authentication

Posted: Wed Mar 12, 2008 9:29 am
by jaandrws
~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


The following code continues to ask for authentication even if I enter the right username (foo) and password (bar). What am I doing wrong?

Code: Select all

 
<?
if ( $auth != 1 ) {  //if the user isn't authenticated
 
header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}
 
 
$auth = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $auth = 1; //If all is well, consider the user authenticated
 
 
?>

Code: Select all

<html>
<head>
 
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>test</title>
 
</head>
<body>
<p>You must have entered the right password.</p>
</body>
</html>

~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.

Re: php http authentication

Posted: Wed Mar 12, 2008 9:43 am
by lepad
try

Code: Select all

$_SERVER['PHP_AUTH_USER']
instead of

Code: Select all

$PHP_AUTH_USER

Re: php http authentication

Posted: Wed Mar 12, 2008 9:46 am
by pickle
The problem is that on each page load, you're checking the value of $auth & deciding whether to show the prompt, before you're checking the credentials. Your best bet is to store $auth in a session, so you can set it in one page load & still have it set in following page loads.

Re: php http authentication

Posted: Wed Mar 12, 2008 9:47 am
by jaandrws
I changed the 1 line to read:

if (($_SERVER['PHP_AUTH_USER'] == "foo" ) && ($_SERVER['PHP_AUTH_PW'] == "bar" )) $auth = 1; //If all is well, consider the user authenticated


but no change in behavior. It still continues to request authentication.

Re: php http authentication

Posted: Wed Mar 12, 2008 9:50 am
by jaandrws
I'm afraid I have no experience with sessions. I was given this code as a way of having to avoid sessions and cookies. Is the method invalid?

Re: php http authentication

Posted: Wed Mar 12, 2008 10:00 am
by pickle
Which method? Using sessions or your method? What do you mean by "valid".

To institute sessions, simply call session_start() at the beginning of your script, then wherever you reference $auth, reference $_SESSION['auth'] instead.

Re: php http authentication

Posted: Wed Mar 12, 2008 10:07 am
by jaandrws
~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


I meant was my method (the method I was trying) not a workable approach? If not, its disappointing because I found the code practically word for word from a tutorial on phpfreaks.com. But let's address your solution. Would the following be the correct implementation of your idea?

Code: Select all

 
session_start()
 
if ( $_SESSION['auth'] != 1 ) {  //if the user isn't authenticated
 
header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}
 
 
$_SESSION['auth'] = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $_SESSION['auth'] = 1; //If all is well, consider the user authenticated
 
~pickle | Please use [ code=html ], [ code=php ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.

Re: php http authentication

Posted: Wed Mar 12, 2008 10:08 am
by jaandrws
I must have done something wrong because I got an error on line 4:

Parse error: parse error, unexpected T_IF in /home/.sites/110/site133/web/indexit.php on line 4

Re: php http authentication

Posted: Wed Mar 12, 2008 10:32 am
by pickle
- You're missing a semi-colon after session_start();
- Ya, that'll probably work.
- Start wrapping your PHP code in tags like I've been saying in your previous posts.

Re: php http authentication

Posted: Wed Mar 12, 2008 10:55 am
by jaandrws
I'm afraid it has the same behavior. It continues to prompt for authentication. Sorry about the code quoting thing.

Re: php http authentication

Posted: Wed Mar 12, 2008 10:57 am
by Zoxive
jaandrws wrote:I'm afraid it has the same behavior. It continues to prompt for authentication. Sorry about the code quoting thing.
The check for the username password need to be above the die method. The code is never getting to set the sessions be cause the if statement is true every page load.

Code: Select all

session_start();
 
if (($$_SERVER['PHP_AUTH_USER'] == "foo" ) && ($$_SERVER['PHP_AUTH_PW'] == "bar" )) $_SESSION['auth'] = 1; //If all is well, consider the user authenticated
 
if ( empty($_SESSION['auth']) ) {  //if the user isn't authenticated
  header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
  header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
  echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
  exit; //this makes the script exit, and the user session ends. No script for you!
}

Should work.