Im trying to create a situation where I can have a default username and login using basic php authentication. If I specify $PHP_AUTH_USER="guest"; and $PHP_AUTH_PW="pass"; then send a header("Location: second.php"); , second.php can not get $PHP_AUTH_PW and $PHP_AUTH_USER. without passing the info through the URL, how can I specify I global $PHP_AUTH_USER and PW like the browser does?

    HI
    I would like to know how do i make a page expire without using session handling.
    The problem is.....A user logs in....visits 2 or 3 pages and by clicking the back key on the browser can still come back to the login page where the password and login are entered. All i want to know is how do i stop him from going back to that page.Kindly reply soon as i need it for my project.
    I am using Php3.0.16 on Linux.

      Maybe you should use cookies (i.e. setcookie("loggedin","yes"...etc.) rather then PHP_AUTH_USER and apache's security?

      Just a suggestion.

        Maybe you should use cookies (i.e. setcookie("loggedin","yes"...etc.) rather then PHP_AUTH_USER and apache's security?

        Just a suggestion.

          This just hit me-

          PHP_USER_AUTH is a convenience variable gotten from HTML headers. You can read up specifically on it at
          http://www.faqs.org/rfcs/rfc2617.html
          ...in section 11.1.

          Basically PHP populates that info based on a header that the browser sends:

          Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

          If you can get the browser to send the above variable, then you're in business, and PHP will populate PHP_AUTH_USER for you.

          The browser should respond with an "Authorization:" field after it recieves a "WWW-Authenticate: Basic realm="WallyWorld"" header from either apache, or your PHP script. The trouble is that it responds with an Authorization field based on what the user types in, and I can't think of a way that you can force a browser to send you a specific header.

          There's a lot of issues here, but it might be easiest to just tell users to log in as guest/guest if they don't have a password.

          HTH!

          --Robert

            $string = base64_encode($PHP_AUTH_USER.":".$PHP_AUTH_PW);

            header("WWW-Authenticate: Basic realm=\"Intranet\"");
            header("Authorization: Basic $string\n");

            header("Location: files/view.php\n");

            I tried this...and the view.php does not get the $PHP_AUTH_USER...I might have to add a few lines in view.php to get the headers and decode the basic string.

              2 years later

              Has anyone actually found a way of authorisation without requiring users to enter the information via browsers??

              I have looked everywhere.

                Write a Reply...