Results 1 to 11 of 11
  1. #1
    Join Date
    Nov 2006
    Posts
    9

    Unanswered: User Authentication using HTTP POP-UP Windows

    Hi All,

    I'm trying to implement a popup window, for user authentication. This window comes up by using the following function

    Code:
    function authenticate() {        
    header('WWW-Authenticate: Basic realm="User Authentication"');        
    header('HTTP/1.0 401 Unauthorized');
    }
    Now, I was wondering once a user enters his username and password, in what variables would they be stored once submitted by them ????

    cheers
    rohit

  2. #2
    Join Date
    Nov 2006
    Posts
    9

    Another example not working

    In connection with the above problem, I was searching on how to use HTTP headers thinking I may be making a mistake....anyways so I went to the following site http://www.developerfusion.co.uk/show/3703/7/ ,
    and got this code to run, it didn't accept guest as its username and password which it should have ...instead after 3rd attempt it displayed, the message written inside the header...

    Code:
    <?php
    if ((!isset($PHP_AUTH_USER)) || (!isset($PHP_AUTH_PW)) || ($PHP_AUTH_USER != "guest") || ($PHP_AUTH_PW != "guest"))
    {
        header('WWW-Authenticate: Basic realm="Private Area"');
        header("HTTP/1.1 401 Unauthorized");
        print "This page requires authorisation.";
        exit();
    }
    else
    {
        print "You're through to the secret page, was the effort worth it?";
    } 
    ?>
    Can someone please point out where am I making a mistake....

    thanks
    rohit

  3. #3
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    Those variable names apparently assume that register_globals are ON.

    Change these to the following to get them to work -

    $_SERVER['PHP_AUTH_USER']
    $_SERVER['PHP_AUTH_PW']

    As always the best up to date information can be found at php.net -
    Online manual - http://www.php.net/docs.php

    Downloadable manual - http://www.php.net/download-docs.php

  4. #4
    Join Date
    Nov 2006
    Posts
    9
    thanks for your reply dbmab.

    I have tried those 2 variables too but still it won't work.

    I forgot to update my post...sorry...

    cheers
    rohit

  5. #5
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    The is a stated requirement -
    The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

  6. #6
    Join Date
    Nov 2006
    Posts
    9
    hi dbmab,

    Yes in my case, php is installed as an apache module and not cgi.

    rohit

  7. #7
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    I don't have any further ideas.

    Because the logon box appears in the browser, the headers are being sent from the web server to the browser.

    Either the browser is not sending the information back to the server (perhaps try with a different browser), or the web server is not accepting them, or the web server is not passing them to PHP.

  8. #8
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    I tried your code on my test server (Win XP pro, Apache 2.0.59, PHP 5.2 as Apache module, and using IE7) -
    PHP Code:
    <?php
    if ((!isset($_SERVER['PHP_AUTH_USER'])) || (!isset($_SERVER['PHP_AUTH_PW'])) || ($_SERVER['PHP_AUTH_USER'] != "guest") || ($_SERVER['PHP_AUTH_PW'] != "guest"))
    {
        
    header('WWW-Authenticate: Basic realm="Private Area"');
        
    header("HTTP/1.1 401 Unauthorized");
        print 
    "This page requires authorisation.";
        exit();
    }
    else
    {
        print 
    "You're through to the secret page, was the effort worth it?";

    ?>
    and it works. So unless there is a typo in what you tried, then you have a browser or a server issue.

  9. #9
    Join Date
    Nov 2006
    Posts
    9
    hi dbmab,

    I'm convinced with your answer and would certainly agree too because i just tried it on my college computer which has the setup of php 4.3.11 and apache on a win xp pro machine. It worked. So I'm guessing that the setup on my laptop and also on the LIVE WEBSERVER is the same and thats why its not working.

    BTW I just found a bug on $PHP_AUTH_USR...
    BUG : http://bugs.php.net/bug.php?id=29132

    The reason I got into doing this is because I love the logon box and thought I will use it for a website where certain pages need to be restricted. But anyways now I'll be using just a usual normal boring username and password inputs and then check it against the database.

    thanks for all your help,

    cheers
    rohit

  10. #10
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    That is a pretty serious bug. I have used HTTP Auth on php 5.1 and now 5.2.

    If you take out the isset and != "guest" terms with PHP_AUTH_USR as a test (only leave the PW terms) and it functions, that would indicate that the PHP_AUTH_USR variable is not being passed through to the PHP code.

    Edit: Take a look at the Digest HTTP Authentication method. This uses a $_SERVER['PHP_AUTH_DIGEST'] variable and does not use PHP_AUTH_USR.

    Even if you can get the Basic HTTP Authentication method to work, IE7 has added a warning message that the information is being sent over an insecure link. Using the Digest method eliminates this warning message.
    Last edited by dbmab; 11-17-06 at 00:13.

  11. #11
    Join Date
    Nov 2006
    Posts
    9
    Yeah I would say so to.

    The moment I read it, I realised that its much better for me not to use the headers because I'm sure that they are running php 4.x.x

    Anyways I'm not sure if you want to but I would suggest making that link to the bug as a sticky or like an important notice on this forum...just to make people aware.

    cheers
    rohit

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •