Page 1 of 1

How to log a user out Need Help Please

Posted: Wed Sep 29, 2010 5:13 pm
by BrettCarr
Hi Guys,
Im trying to create A decent login system for my users and im trying to use the header WWW-Authenticate This is what i have and it works But i have 2 issues, 1 How do i log a user out. and Im getting this error in ie8 but not mozilla is there anything i can do stop fix this?..
Warning: This server is requesting that your username and password be sent in an insecure manner(basic authentication without a secure connection)

Most inportant is being able to clear the Authentication Varible so a user can try to log in again if they miss spell there username or somthing lik that or wanting to log out, I thought the header('HTTP/1.0 401 Unauthorized') would log them out,,, am i missunderstanding the concept?

Code: Select all

<?php
include_once($_SERVER['DOCUMENT_ROOT'].'/includes/global.php');
$d = new User();
$d->connect(HOST, USERNAME, PASSWORD, DATABASE);
//if the use hits cancle do this stuff
if (!isset($_SERVER['PHP_AUTH_USER']))
{
    header('WWW-Authenticate: Basic realm="Sales Coastal Coasters"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
}
// checks the user_name and pass_word with query, if found directs them to info.php
// would like to send this stuff with md5 but have no idear how
 else
{
    $d->query("SELECT * FROM sales_people WHERE user_name = MD5('{$_SERVER['PHP_AUTH_USER']}') && pass_word = MD5('{$_SERVER['PHP_AUTH_PW']}');");
    if ($d->next())
    {
        $host  = $_SERVER['HTTP_HOST'];
        $uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
        $extra = 'admin/sales_ppl_list.php';
        header("Location: http://$host$uri/$extra");
        exit;
    }
     else
    {
     //If fail sends to other page
       
        header("HTTP/1.0 401 Unauthorized");
        $host  = $_SERVER['HTTP_HOST'];
        $uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
        $extra = 'login.php';
        header("Location: http://$host$uri/$extra");
        unset ($_SERVER['PHP_AUTH_USER']);
        unset ($_SERVER['PHP_AUTH_PW']);
        
        print "Sorry - you need valid credentials to be granted access!\n";        
        exit;
    }
}

?>

Re: How to log a user out Need Help Please

Posted: Sun Oct 17, 2010 2:07 am
by Bind
HTTP_AUTH does not contain a native logout functionality - simply close thye browser and they are automatically logged out by default. A new browser session will ask them for credentials again.

The hack is to change the Basic Realm name when they click logout, which will ask for new credentials.

PHP forced HTTP_AUTH is a hack. Meaning it isnt the intended purpose of HTTP_AUTH, but it works marginally well.

The error you get is because you are not using SSL (HTTPS) and shows up because HTTP_AUTH without SSL is indeed insecure, and the browser warns the user of this fact for their own protection, so they can decide whether or not to continue.

HTTP_AUTH, especially PHP forced HTTP_AUTH without SSL, is cumbersome, clunky, quirky, and not a very aesthetic solution, which is why most web application developers prefer to create and manage their own user login/logout/management systems.