I have used the simple example of HTTP Authentication from the PHP website
as follows:
<?php
if (!isset($_SERVE R['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
My authentication code here
}
?>
At the moment, if the user gets it wrong they are locked-out until they
restart their browser.However , I want the user to have, say, five attempts
before being locked-out. I guess I need a counter so that I can
unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but
I can't work out a way to make the counter persistent across attempts.
All ideas welcome.
-- 5 3249
Sparkplug wrote: At the moment, if the user gets it wrong they are locked-out until they restart their browser.However , I want the user to have, say, five attempts before being locked-out. I guess I need a counter so that I can
If you use HTTP basic authentication there is no way to influence it.
The webserver handles the authentication and that's about it. There are
no options for basic authentication (at least none I am aware of) in
Apache. It's a take it (and let the server handle it its way) or leave
it (and program you own authentication, which might be less secure,
buggy, prone to database manipulation, ...).
You do have 3 tries for basic authentication though. At least that's the
way Apache handles it, I don't know about other webservers.
Bye!
On Thu, 02 Dec 2004 16:26:06 +0100, Anonymous <an*******@nowh ere.invalid>
wrote: Sparkplug wrote:
At the moment, if the user gets it wrong they are locked-out until they restart their browser.However , I want the user to have, say, five attempts before being locked-out. I guess I need a counter so that I can
If you use HTTP basic authentication there is no way to influence it. The webserver handles the authentication and that's about it. There are no options for basic authentication (at least none I am aware of) in Apache. It's a take it (and let the server handle it its way) or leave it (and program you own authentication, which might be less secure, buggy, prone to database manipulation, ...).
You do have 3 tries for basic authentication though. At least that's the way Apache handles it, I don't know about other webservers.
I'm running Apache on W2K for development and Linux for production and in
each case it only gives me one shot. Any more ideas?
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
"Sparkplug" <sp*******@nowh ere.net> wrote in message
news:opsidypgpu fps5jf@cblaptop ... I have used the simple example of HTTP Authentication from the PHP website as follows:
<?php if (!isset($_SERVE R['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; exit; } else { My authentication code here } ?>
At the moment, if the user gets it wrong they are locked-out until they restart their browser.However , I want the user to have, say, five attempts before being locked-out. I guess I need a counter so that I can unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but I can't work out a way to make the counter persistent across attempts.
All ideas welcome.
I don't see why the user would get locked out. HTTP is stateless. Each
request is independent of each other. IE does not bring up the
authentication dialog box again after three failed attempts. But it will do
so again if you refresh the page. Netscape on the other hand would keep
showing the dialog box as long as it's receiving the status code 401.
Perhaps the problem here is your code. Are you sending 401 when the
username/password pair is incorrect? The absence of the PHP_AUTH_USER
needn't really to be handled separately. No username/password is--for the
most part--the same as wrong username/password.
As for limiting the number of attempts, the only effectively way to do this
is to save the time of each attempt in a database or a file on the server,
then count the number of attempt within a given time period.
On Thu, 2 Dec 2004 20:32:46 -0500, Chung Leong <ch***********@ hotmail.com>
wrote: "Sparkplug" <sp*******@nowh ere.net> wrote in message news:opsidypgpu fps5jf@cblaptop ... I have used the simple example of HTTP Authentication from the PHP website as follows:
<?php if (!isset($_SERVE R['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; exit; } else { My authentication code here } ?>
At the moment, if the user gets it wrong they are locked-out until they restart their browser.However , I want the user to have, say, five attempts before being locked-out. I guess I need a counter so that I can unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but I can't work out a way to make the counter persistent across attempts.
All ideas welcome.
I don't see why the user would get locked out. HTTP is stateless. Each request is independent of each other. IE does not bring up the authentication dialog box again after three failed attempts. But it will do so again if you refresh the page. Netscape on the other hand would keep showing the dialog box as long as it's receiving the status code 401.
Perhaps the problem here is your code. Are you sending 401 when the username/password pair is incorrect? The absence of the PHP_AUTH_USER needn't really to be handled separately. No username/password is--for the most part--the same as wrong username/password.
As for limiting the number of attempts, the only effectively way to do this is to save the time of each attempt in a database or a file on the server, then count the number of attempt within a given time period.
Bingo! I wasn't sending the headers after an unsuccessful attempt. The
code should look like this:
<?php
if (!isset($_SERVE R['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
My authentication code here
if ($Authenticatio nFailed == true) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You are not authorised to access this page.';
exit;
}
}
?>
Many thanks.
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
Sparkplug <sp*******@nowh ere.net> wrote in message news:<opsidypgp ufps5jf@cblapto p>... At the moment, if the user gets it wrong they are locked-out until they restart their browser.However , I want the user to have, say, five attempts before being locked-out. I guess I need a counter so that I can unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but I can't work out a way to make the counter persistent across attempts.
The answer to the "persistent " question will always be: cookie or session
You could send a cookie with the 401 and check it..
Or use a session... This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael Foord |
last post by:
#!/usr/bin/python -u
# 15-09-04
# v1.0.0
# auth_example.py
# A simple script manually demonstrating basic authentication.
# Copyright Michael Foord
# Free to use, modify and relicense.
# No warranty express or implied for the accuracy, fitness to purpose
|
by: VJ |
last post by:
Hi,
IIS raises login dialog box prompt on browser for
resources protected using basic authentication. That login
prompt gives user 3 attempts to enter correct
userid/password. IIS throw 401.1 error if third attempt
fails. Does anyone know how to change this number of
attempts. Is it possible or impossible to do ?
Thanks
|
by: Raquel |
last post by:
I am confused between Authentication at Instance Vs Authentication at
Database. Instance authentication is specified at Instance creation
time (db2icrt) and is stored in db mgr. cfg. file while Database
authentication is specified during the Catalog Database command.
So far, so good. But when do each of the authentications come into...
|
by: Rob |
last post by:
I have an ASP.NET application that uses forms-based
authentication. A user wishes to be able to run multiple
sessions of this application simultaneously from the
user's client machine.
The web.config file is configured as such:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All"
name="myApplication"/>...
|
by: Martin |
last post by:
Dear fellow ASP.NET programmer,
I stared using forms authentication and temporarily used a <credentials> tag
in web.config. After I got it working I realized this wasn't really
practical. I cannot write to web.config so I cannot dynamically update the
credentials while the site is up. Since the
FormsAuthentication.Authenticate() method's...
| |
by: Frank Walsh |
last post by:
Can anyone tell me if this is possible in asp.net, I want to use form-based
authentication to authenticate my users, however a employee of the company
is attempting to be logged in as administrator and as a client in two
browser windows. When the FormsAuthentication.Signout is called on one of
the windows, it kills both authentications for...
|
by: UJ |
last post by:
I have a web site up and going and on the main login screen there's a help
menu option. If the person selects that before they have logged in, it
attempts to redirect them to a page telling them how to log in. Problem is
though that since they haven't been authenticated, the authentication
redirects them to the login page.
How can I have a...
|
by: Patrick Fogarty |
last post by:
I am programming what is to be a web service client that will use an
HTTP-POST to request and retrieve data. The remote server (written in java
for what it's worth) requires basic authentication as per RFC 2617
(http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are
failing. The server requires the header to be present with...
|
by: thomson |
last post by:
Hi All,
i do hae a solution in which i do have mulitple projects
including Web Projects,, Depending on the functionality it gets
redirected to different web projects and it is working fine,
for eg: http:DomainName/MainProject/index.aspx, If i login, it gets
redirectes to a different Web Project inside the solution like...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |