The goal here is to use basic authentication for a user to log in, but keep a
cookie so that they dont have to log in every browser session.
<?
$user = "user";
$pass = "pass";
if(($_COOKIE['user']!=$user) OR ($_COOKIE['pass']!=$pass)){
if (
(!isset( $_SERVER['PHP_AUTH_USER'] )) OR
(!isset($_SERVER['PHP_AUTH_PW'])) OR
( $_SERVER['PHP_AUTH_USER'] != $user ) OR
( $_SERVER['PHP_AUTH_PW'] != $pass )
) {
header( 'WWW-Authenticate: Basic realm="test"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
}
}
if ( ( $_SERVER['PHP_AUTH_USER'] == $user )AND( $_SERVER['PHP_AUTH_PW'] ==
$pass))
) {
setcookie("user", $user, time()+99999, "/");
setcookie("pass", $pass, time()+99999, "/");
}
echo '<pre>cookie:';
print_r($_COOKIE);
echo "<BR>";
echo 'auth-user: '.$_SERVER['PHP_AUTH_USER'];
echo '<BR>auth-pass: '.$_SERVER['PHP_AUTH_PW'];
?>
thanks for the look 4 1686
On Fri, 06 Jun 2008 00:40:15 +0200, J. Frank Parnell <po*@edgecity.ufo
wrote:
The goal here is to use basic authentication for a user to log in, but
keep a
cookie so that they dont have to log in every browser session.
<?
$user = "user";
$pass = "pass";
if(($_COOKIE['user']!=$user) OR ($_COOKIE['pass']!=$pass)){
if (
(!isset( $_SERVER['PHP_AUTH_USER'] )) OR
(!isset($_SERVER['PHP_AUTH_PW'])) OR
( $_SERVER['PHP_AUTH_USER'] != $user ) OR
( $_SERVER['PHP_AUTH_PW'] != $pass )
) {
header( 'WWW-Authenticate: Basic realm="test"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
}
}
if ( ( $_SERVER['PHP_AUTH_USER'] == $user )AND( $_SERVER['PHP_AUTH_PW']
==
$pass))
) {
setcookie("user", $user, time()+99999, "/");
setcookie("pass", $pass, time()+99999, "/");
}
echo '<pre>cookie:';
print_r($_COOKIE);
echo "<BR>";
echo 'auth-user: '.$_SERVER['PHP_AUTH_USER'];
echo '<BR>auth-pass: '.$_SERVER['PHP_AUTH_PW'];
?>
Anything wrong, or do you just want input?
If the latter:
0) Don't use short tags (use <?php ?instead of <? ?>).
1) I'd hate to store plain passwords in cookies at the users computer,
which not only usually are stored plainly on the HD there, but are also
send on _every_ request. I usually create a hash unrelated to user/pass
details, and store that as valid for that user(-id), if that's to much you
could encrypt a pass + a secret using some of the available encryption
techniques used in PHP.
2) I have long ago decided against HTTP authentication 'cause save for
closing the browser or deleting ALL remembered passwords, there is no easy
way to log out for the user in most common UA's. Sessions & a simple
loginform are IMO the way to go.
.... then again, I'm so used applying only this technique I might not be
able to make an unbiased comment, it's what I know best :)
--
Rik Wasmus
....spamrun finished
On Jun 5, 6:40 pm, J. Frank Parnell <p...@edgecity.ufowrote:
The goal here is to use basic authentication for a user to log in, but keep a
cookie so that they dont have to log in every browser session.
<?
$user = "user";
$pass = "pass";
if(($_COOKIE['user']!=$user) OR ($_COOKIE['pass']!=$pass)){
if (
(!isset( $_SERVER['PHP_AUTH_USER'] )) OR
(!isset($_SERVER['PHP_AUTH_PW'])) OR
( $_SERVER['PHP_AUTH_USER'] != $user ) OR
( $_SERVER['PHP_AUTH_PW'] != $pass )
) {
header( 'WWW-Authenticate: Basic realm="test"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit;
}
}
if ( ( $_SERVER['PHP_AUTH_USER'] == $user )AND( $_SERVER['PHP_AUTH_PW'] ==
$pass))
) {
setcookie("user", $user, time()+99999, "/");
setcookie("pass", $pass, time()+99999, "/");
}
echo '<pre>cookie:';
print_r($_COOKIE);
echo "<BR>";
echo 'auth-user: '.$_SERVER['PHP_AUTH_USER'];
echo '<BR>auth-pass: '.$_SERVER['PHP_AUTH_PW'];
?>
thanks for the look
I agree $_SESSION is the way to go, just had this discussion again at
work and I was in favor of a small client cookie to band aid and old
script we have, my coworker talked me out of it :(
I have a simple but probably overly complex OOP login script that uses
session if you would like to look at it? (it does more) I'd be happy
to email it to you.
On Fri, 06 Jun 2008 09:04:08 +0200, "Rik Wasmus" <lu************@hotmail.com>
wrote:
>On Fri, 06 Jun 2008 00:40:15 +0200, J. Frank Parnell <po*@edgecity.ufo> wrote:
>The goal here is to use basic authentication for a user to log in, but keep a cookie so that they dont have to log in every browser session.
<? $user = "user"; $pass = "pass";
if(($_COOKIE['user']!=$user) OR ($_COOKIE['pass']!=$pass)){ if ( (!isset( $_SERVER['PHP_AUTH_USER'] )) OR (!isset($_SERVER['PHP_AUTH_PW'])) OR ( $_SERVER['PHP_AUTH_USER'] != $user ) OR ( $_SERVER['PHP_AUTH_PW'] != $pass ) ) { header( 'WWW-Authenticate: Basic realm="test"' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit;
} }
if ( ( $_SERVER['PHP_AUTH_USER'] == $user )AND( $_SERVER['PHP_AUTH_PW'] == $pass)) ) { setcookie("user", $user, time()+99999, "/"); setcookie("pass", $pass, time()+99999, "/");
}
echo '<pre>cookie:'; print_r($_COOKIE); echo "<BR>"; echo 'auth-user: '.$_SERVER['PHP_AUTH_USER']; echo '<BR>auth-pass: '.$_SERVER['PHP_AUTH_PW']; ?>
Anything wrong, or do you just want input?
Just input :) I was basically wanting to know if i had left any holes in the
script, or if there were reasons that the script was less than optimal, like...
>1) I'd hate to store plain passwords in cookies at the users computer, which not only usually are stored plainly on the HD there, but are also send on _every_ request. I usually create a hash unrelated to user/pass details, and store that as valid for that user(-id), if that's to much you could encrypt a pass + a secret using some of the available encryption techniques used in PHP.
I dont ususally have reason to belive that the users computer will be physically
stolen and spyed on, but good point none the less.
The cookie being sent on every request is bad why? because that gives more
chance for an eavesdropper to see them? again, point taken.
The cookie is the main reason for this script, just to save the user from loggin
in every time. But, because of your concerns, i may just tell him to deal with
it :)
> 2) I have long ago decided against HTTP authentication 'cause save for closing the browser or deleting ALL remembered passwords, there is no easy way to log out for the user in most common UA's. Sessions & a simple loginform are IMO the way to go.
logging out is not really a concern, as of yet.
Thanks for your time and comments, theyre appreciated.
On Fri, 6 Jun 2008 03:24:03 -0700 (PDT), The Hajj <ha***********@gmail.com>
wrote:
>On Jun 5, 6:40 pm, J. Frank Parnell <p...@edgecity.ufowrote:
>The goal here is to use basic authentication for a user to log in, but keep a cookie so that they dont have to log in every browser session.
> I agree $_SESSION is the way to go, just had this discussion again at work and I was in favor of a small client cookie to band aid and old script we have, my coworker talked me out of it :(
I have a simple but probably overly complex OOP login script that uses session if you would like to look at it? (it does more) I'd be happy to email it to you.
I'd like to have a look-see, that would be great. dddougxxx at the mail that
google provides.
I have downloaded and played with http://www.phpsecurepages.com/ Is yours
similar? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate...
|
by: jsWalter |
last post by:
I have an extension Class to Auth and I'm looking for some folks to hammer
on it a bit and give feed back.
Class: AuthUser
- add user (well, Auth does that now, so its gone)
- remove user...
|
by: Mark Carter |
last post by:
I'm trying to create a mail server in Twisted.
I either get
SMTPSenderRefused
or
SMTPException: SMTP AUTH extension not supported by server.
What do I need to do to get it to work?
|
by: 23s |
last post by:
I had this problem in the past, after a server reformat it went away, and
now after another server reformat it's back again - no clue what's doing it.
Here's the flow:
Website root is public, no...
|
by: Thomas.Firnschrott |
last post by:
i have a problem concerning a php script i worte some time ago.
It is a rather simple thing. On a Site you login via a html form which
points to a php that checks the username and password, and...
|
by: kevin bailey |
last post by:
I have a framework working where I have multiple pages each checking the
authentication status.
Unauthorised users are redirected to a login page - otherwise the requested
page is shown.
...
|
by: Brian Tkatch |
last post by:
Is there a way to check the order in which SET INTEGRITY needs to be
applied? This would be for a script with a dynamic list of TABLEs.
B.
|
by: uranuskid |
last post by:
Hey folks,
I was hoping someone could help me out with following problem:
I want to use vSigup (available free at www.beanbug.net/vScripts.php) to manage protected pages.
Well, that all works...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |