I'm trying to understand sessions and authentication.
I gathered that the only way of preserving data across script
invocations was to use a session. However I note that
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are also preserved
across invocations and even from one script to another. How does this
work? (Are they repeatedly sent from the browser every time? If so, what
stops a site author from collecting a user name and password originally
entered for another site?) And how does one log off a user after
x minutes of inactivity?
If this is an RTFM question, I'd be happy with a pointer to the
appropriate bit of the M - I haven't managed to track it down so far.
I also note that $_SERVER contains entries which seem to have nothing to
do with the server, such as HTTP_USER_AGENT . Is there some logic here,
or is this just one of the historical accidents to which the IT world
seems so prone?
--
Stephen Poley
Barendrecht, Holland
5  2478 
Stephen Poley wrote: I'm trying to understand sessions and authentication.
I gathered that the only way of preserving data across script
invocations was to use a session. However I note that
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are also preserved
across invocations and even from one script to another. How does this
work? (Are they repeatedly sent from the browser every time? If so, what
stops a site author from collecting a user name and password originally
entered for another site?) And how does one log off a user after
x minutes of inactivity?
Those two variables are copies of the username and password passed to
the web server. If you request a password protected document from the
webserver without passing those the server will respond with an error
message. The browser will then pop up a window to ask for userid and
password and request the document again passing those parameters to the
server. Every request for that document or documents in subdirectories
will automatically have the userid and password appended by the browser
to avoid you having to reenter them. This is all site specific so you
don't need to worry about that. This simple authentication cannot handle
logging people off (at least from php), you have to use a different
method for that.
If this is an RTFM question, I'd be happy with a pointer to the
appropriate bit of the M - I haven't managed to track it down so far.
I also note that $_SERVER contains entries which seem to have nothing to
do with the server, such as HTTP_USER_AGENT . Is there some logic here,
or is this just one of the historical accidents to which the IT world
seems so prone?
A web browser often sends extra information with a request. The user
agent string is one of those headers. It's sometimes useful to adjust
your output depending on the capabilities of the browser. I particularly
use this to present a different front page to search engines to make
their crawling work better.
Read RFC2616 for the full specification (if you don't mind a severe
headache).
On Thu, 21 Aug 2003 12:38:04 +0100, Kevin Thorpe <ke***@pricetra k.com>
wrote: Stephen Poley wrote: I gathered that the only way of preserving data across script
invocations was to use a session. However I note that
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are also preserved
across invocations and even from one script to another. How does this
work?
<snip>Every request for that document or documents in subdirectories
will automatically have the userid and password appended by the browser
to avoid you having to reenter them.
Thanks for the swift answer - that clarifies it. I've checked with a
script in a 'sister' directory, and then the username/password are
indeed not available.
This is all site specific so you
don't need to worry about that. This simple authentication cannot handle
logging people off (at least from php), you have to use a different
method for that.
So I gather the user-name/password could sit indefinitely in the
browser, but when a request is made after a timeout (managed via session
data) one can reissue the "401 Unauthorized" header and that forces the
user to re-enter them - is that right?
I also note that $_SERVER contains entries which seem to have nothing to
do with the server, such as HTTP_USER_AGENT . Is there some logic here,
or is this just one of the historical accidents to which the IT world
seems so prone?
A web browser often sends extra information with a request. The user
agent string is one of those headers. It's sometimes useful to adjust
your output depending on the capabilities of the browser.
My question wasn't quite clear - I was wondering why that data was in
$_SERVER specifically, and not $_GLOBALS or $_CLIENT or something. The
manual is rather vague.
Read RFC2616 for the full specification (if you don't mind a severe
headache).
I had indeed tried to, but I had failed to extract from it that the
browser would resend the credentials for further requests in the same
directory.
Thanks for your help.
--
Stephen Poley
Barendrecht, Holland
Stephen Poley wrote: On Thu, 21 Aug 2003 12:38:04 +0100, Kevin Thorpe <ke***@pricetra k.com>
wrote:
Stephen Poley wrote:
I gathered that the only way of preserving data across script
invocation s was to use a session. However I note that
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are also preserved
across invocations and even from one script to another. How does this
work?
Every request for that document or documents in subdirectories
will automatically have the userid and password appended by the browser
to avoid you having to reenter them.
Thanks for the swift answer - that clarifies it. I've checked with a
script in a 'sister' directory, and then the username/password are
indeed not available.
As indeed they should not. The way cookies work is somewhat similar
except you can specify an expiry date to keep them even after the
browser closes. Cookies give you somewhat more control over access and
you can write your own page to input the userid and password instead of
relying on the browser built-in.
This is all site specific so you
don't need to worry about that. This simple authentication cannot handle
logging people off (at least from php), you have to use a different
method for that.
So I gather the user-name/password could sit indefinitely in the
browser, but when a request is made after a timeout (managed via session
data) one can reissue the "401 Unauthorized" header and that forces the
user to re-enter them - is that right?
Yup, they're available until the browser is closed. You can reissue the
401 if you like to force re-entry. You can still do this even if the web
server isn't configured to ask for a userid and password. You would have
to check them yourself though to see if they were valid. There's a short
tutorial on performing HTTP authentication entirely in php at:
http://uk.php.net/manual/en/features.http-auth.php
If you only want your php docs protected then this is a perfectly
acceptable solution. Personally I use a perl module for authentication
as I have other documents (pdf,html,xls) which need protecting. It also
stops other people from getting it wrong and leaving unprotected docs on
the system (we use DAV as a shared document store).
Read RFC2616 for the full specification (if you don't mind a severe
headache).
I had indeed tried to, but I had failed to extract from it that the
browser would resend the credentials for further requests in the same
directory.
I'm not surprised, it's a huge document. It might not even be in there
at all. It could be a convention to assist users which isn't part of the
original RFC. I really can't be bothered to re-read the RFC though.
Thanks for your help.
Stephen Poley wrote: On Thu, 21 Aug 2003 12:38:04 +0100, Kevin Thorpe <ke***@pricetra k.com>
wrote:
[snip] This is all site specific so you
don't need to worry about that. This simple authentication cannot handle
logging people off (at least from php), you have to use a different
method for that.
So I gather the user-name/password could sit indefinitely in the
browser, but when a request is made after a timeout (managed via session
data) one can reissue the "401 Unauthorized" header and that forces the
user to re-enter them - is that right?
Yes, but bear in mind that under some circumstances the fields will appear
already filled in. I also note that $_SERVER contains entries which seem to have nothing to
do with the server, such as HTTP_USER_AGENT . Is there some logic here,
or is this just one of the historical accidents to which the IT world
seems so prone?A web browser often sends extra information with a request. The user
agent string is one of those headers. It's sometimes useful to adjust
your output depending on the capabilities of the browser.
My question wasn't quite clear - I was wondering why that data was in
$_SERVER specifically, and not $_GLOBALS or $_CLIENT or something. The
manual is rather vague.
The server variables are more than just information supplied by the client.
They are the environment variables passed down by the server, which can
include pretty much anything. Headers supplied by the client are usually
prefixed with 'HTTP_'. I guess nobody thought that it would be worth going
to the trouble of separating out the client headers from the rest of the
environment variables (it might not even be possible to do correctly).
Read RFC2616 for the full specification (if you don't mind a severe
headache).
I had indeed tried to, but I had failed to extract from it that the
browser would resend the credentials for further requests in the same
directory.
RFC 2616 is HTTP. You want RFC 2617, specifically:
"A client SHOULD assume that all paths at or deeper than the depth of the
last symbolic element in the path field of the Request-URI also are within
the protection space specified by the Basic realm value of the current
challenge. A client MAY preemptively send the corresponding Authorization
header with requests for resources in that space without receipt of another
challenge from the server."
-- <URL:http://www.ietf.org/rfc/rfc2617.txt>
--
Jim Dabell
>>>Read RFC2616 for the full specification (if you don't mind a severe headache).
I had indeed tried to, but I had failed to extract from it that the
browser would resend the credentials for further requests in the same
directory.
RFC 2616 is HTTP. You want RFC 2617, specifically:
"A client SHOULD assume that all paths at or deeper than the depth of the
last symbolic element in the path field of the Request-URI also are within
the protection space specified by the Basic realm value of the current
challenge. A client MAY preemptively send the corresponding Authorization
header with requests for resources in that space without receipt of another
challenge from the server."
-- <URL:http://www.ietf.org/rfc/rfc2617.txt>
A very large bottle of aspirin to that man! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Phil Powell |
last post by:
/*--------------------------------------------------------------------------------------------
This function will utilize the ability to use HTTP-based WWW
Authentication, checking for the global authorized password against
the password entered in the client project's CSV file. Will not
function
unless this password exists.
See http://www.php.net/manual/en/features.http-auth.php for more
info...
|
by: Phil Powell |
last post by:
<?php
class LoginSessionGenerator {
/**
* Logout
*
* @access public
*/
function &logout() { // STATIC VOID METHOD
|
by: Sparkplug |
last post by:
I have used the simple example of HTTP Authentication from the PHP website
as follows:
<?php
if (!isset($_SERVER)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
|
by: Bruce Lewis |
last post by:
I've gotten NTLM authentication working with PHP 5.0.2 and IIS 5.0, so
long as I use Internet Explorer 6.0.2800. Using IE 6.0.2900
authentication doesn't happen. IE displays a "Cannot find Server or
DNS Error" page ("friendly HTTP message") or just hangs. Anybody know a
workaround? Here's the current incarnation of my code:
if (!$_SERVER && !$_SERVER && !$_SERVER)
{
header('HTTP/1.0 401 Authorization Required');
/*
|
by: Mark H |
last post by:
Hey all--
I'm building a database and I basically need to keep out people who
aren't authorized, but it's not like I need top security here. I'm just
doing basic user/pass of a SQL database, and when a user authenticates
I start a session for him.
My question is, is there any way for a hacker to easily start a session
without having logged in? For instance, if I save the user name and IP
address in the session will it be relatively...
| | |
by: Rob |
last post by:
I have an ASP.NET application that uses forms-based
authentication. A user wishes to be able to run multiple
sessions of this application simultaneously from the
user's client machine.
The web.config file is configured as such:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All"
name="myApplication"/>
</authentication>
|
by: Jonnie |
last post by:
I want to build a secure user authentication page that uses mySQL to
verify user, password, and access rights, where admins see everything
and full acess, while others see only links and pages their 'group' has
access to.
I am pretty new to PHP and this will be a great learning project, so
any guidance on where to start would be welcome. I am looking at a few
tutoriqals now, but most of them seem to focus on protecting a whole
site or...
|
by: Vyoma |
last post by:
This is quite a bit of problem I am facing, and I cannot point exactly
where I am going wrong. I have been lurking around at several forums
with regard to login and user authentication scripts and I have got as
far as this:
- Starting a session
- Registering a session variable
- Using the variable to check if the user is authenticated or not.
- Authenticating the user through MySQL database
- Logging of the user, by setting the...
|
by: amygdala |
last post by:
Hello all,
I have posted a similar question in comp.lang.php in the past, but haven't
had any response to it then. I kinda swept the problem under the rug since
then. But I would really like to resolve this issue once and for all now.
The problem might be PHP related but since I only develop applications using
PHP, I'm not a hundred percent sure. Therefor I've taken the liberty to
crosspost to comp.lang.php and alt.www.webmaster. I...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |
