[Resolved] header('WWW-Authenticate:...

bad76

Hi,
i would want to login with www-authenticate header, but i can't do the retry...

After first login, if wrong, i can't go back and retry again, because the $PHP_AUTH_USER is always set.

Anyone can tells me how i can do this?

My last not-working code...

<?
if (!isset($PHP_AUTH_USER)) {
  header('WWW-Authenticate: Basic realm="my Realm"');
  header('HTTP/1.0 401 Unauthorized');
  echo 'User Stop';
  exit;
} else {
  header("Location: login.php?User=$_SERVER['PHP_AUTH_USER']");
  unset($_SERVER['PHP_AUTH_USER']);
  unset(PHP_AUTH_USER);
}
?>

seby

hello, try something like this:

if (!isset($_SERVER['PHP_AUTH_USER']) && !isset ($_SERVER['PHP_AUTH_PW']))
{ 
  header('WWW-Authenticate: Basic realm="my Realm"'); 
  header('HTTP/1.0 401 Unauthorized'); 
  echo '<b>Authorization Required - Access Denied!</b>';
  // now unset user/name entered to retry
  unset($_SERVER['PHP_AUTH_USER']);
  unset($_SERVER['PHP_AUTH_PW']);
  exit; 
} 
else 
{ 
	// user is now auth
	echo 'Welcome ' . $_SERVER['PHP_AUTH_USER']; 
}

seby

also, you can make a logout.php with:

unset($_SERVER['PHP_AUTH_USER']); 
unset($_SERVER['PHP_AUTH_PW']);

so you can logout later.

laserlight

hmm... what if empty() was used instead?

bad76

All this seems not work.
If i type the wrong password, i have to quit the explorer...

[edit]
(latest buggy code...)

<?
if (!isset($_SERVER['PHP_AUTH_USER']) || 
    !isset($_SERVER['PHP_AUTH_PW']) ||
    empty($_SERVER['PHP_AUTH_USER']) || 
    empty($_SERVER['PHP_AUTH_PW']) 
) {
  header('WWW-Authenticate: Basic realm="myRealm"');
 	header('HTTP/1.0 401 Unauthorized');
 	echo 'User cancel';
 	exit;
} else {
	$User=$_SERVER['PHP_AUTH_USER'];
	$Pass=$_SERVER['PHP_AUTH_PW'];

unset($_SERVER['PHP_AUTH_USER']);  
unset($_SERVER['PHP_AUTH_PW']);
header("Location: admin/login.php?User=$User");
}
?>

[/edit]

laserlight

Desperate measures, we loop it:

<?php
if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW']))
{
	header('WWW-Authenticate: Basic realm="My Realm"');
	header('HTTP/1.0 401 Unauthorized');
	echo 'Access denied';
	exit;
}
else
{
	if ($_SERVER['PHP_AUTH_USER'] === 'bad76' && $_SERVER['PHP_AUTH_PW'] === 'seby')
	{
		echo 'Access granted';
	}
	else
	{
		header('WWW-Authenticate: Basic realm="My Realm"');
		header('HTTP/1.0 401 Unauthorized');
		exit;
	}
}
?>

bad76

hmm...
is not so easy because i login in another file, also used from other application and access... but is a good hint...

I do it with temporary cookie.

But it's a bit strange there isn't a way to unset $_SERVER var...

thanks all..

bad76

After all,
reading/writing a lot, this is my solution, it's the easiest i can write.

 
<?
if (isset($_COOKIE["my_auth"]))
	$my_auth=$_COOKIE["my_auth"];

if (!isset($my_auth) || ($my_auth!="1")) {
 	setcookie("my_auth","1");
	header('WWW-Authenticate: Basic realm="myrealm"');
 	header('HTTP/1.0 401=20 Unauthorized');
 	echo 'Operazione Annullata';
 	exit;
} else {
 	setcookie("my_auth","0");
	$User=$_SERVER['PHP_AUTH_USER'];
	$Pass=$_SERVER['PHP_AUTH_PW'];
	header("Location: login.php?User=$User");
}
?>

I post this to avoid some other guy to spent about six hours into this poor problem 🙁

see you