HTTP Authentication function fails why?

ppowell

/*--------------------------------------------------------------------------------------------
	This function will utilize the ability to use HTTP-based WWW 
	Authentication, checking for the global authorized password against
	the password entered in the client project's CSV file.  Will not function
	unless this password exists.  

See [url]http://www.php.net/manual/en/features.http-auth.php[/url] for more
info
---------------------------------------------------------------------------------------------*/
if (!function_exists('authenticate')) {			// FUTURISTIC: IN CASE AN "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE
 function &authenticate() {		// STATIC
	global $username, $password, $projectFullName;
	if ($password && preg_match('/IIS/i', $_SERVER['SERVER_SOFTWARE']) && $_SERVER['HTTP_AUTHORIZATION']) {
	 list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
	 if ($user === $username && $pw === $password) return true;	// AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI
	}
	if ($_SERVER['PHP_AUTH_USER'] && $password && 
	     $_SERVER['PHP_AUTH_USER'] === $username && $_SERVER['PHP_AUTH_PW'] === $password
 	    ) return true;
	if ($password) {
	 header("WWW-Authenticate: Basic realm=\"$projectFullName\"");
   	 header('HTTP/1.0 401 Unauthorized');
  	 echo "You must enter a valid login ID and password to access the $projectFullName\n";
   	 exit;
	}
 }
}

This function constantly fails to authenticate even if the user enters correct username and password, and I don't have a clue as to why it fails.

Can someone tell me what I did wrong and how to fix this so that it will allow for Basic WWW authentication to be successful upon correct entry of username and password, I am not catching it.

Thanx
Phil

ppowell

I wrote an HTTP authentication function authenticate(). However, you are being forced to log in twice every time you use this function, and I honestly can't figure this out.

This might make things easier to understand:

This is index.php:

/*-------------------------------------------------------------------------------------------------------------------------------------------------------------------

  Authentication Block - this block will determine whether or not user has logged in or has successfully logged in by checking:

  1) IP address against stored value in project_globals.inc.php
  2) Cookie for $projectFolderName
  3) If they have remained in the utility or have gone elsewhere - then cookie should be overwritten
    New 5/20/2004: User-defined variable $willUseSSL generated into project_global_plugin.inc.php will be a Boolean to
  determine if the there will need to be an SSL layer for the unauthenticated IVC.  If the user has not yet logged in and
  chose to set $willUseSSL to true in the installation, the script will redirect to an SSL layer and ask for authentication.  A
  check is also done to ensure that if the user is logged in yet remains in an SSL layer, they will be redirected out to ensure
  full IVC functionality.

  New 5/20/2004: The cookie with key of $projectFolderName will be checked first to bypass the unnecessary instantiation of
  LoginSessionGenerator for performance enhancement.  If the user logged in, the cookie exists and no need to check further.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------*/
if (($willAuthenticate || $willBasicAuthenticate) && $_COOKIE["$projectFolderName"]) $isLoggedIn = true;    // NECESSARY FOR SSL-TO-NONSSL REDIRECTION

if (($willAuthenticate || $willBasicAuthenticate) && !$_COOKIE["$projectFolderName"]) {
 $errorArray = array();
 $lsg =& new LoginSessionGenerator();
 $lsg->handleLogin();
 $errorArray += $lsg->getErrorArray();
 $isLoggedIn = $lsg->isLoggedIn;
}

if ($_COOKIE["$projectFolderName"] || (($willAuthenticate || $willBasicAuthenticate) && $isLoggedIn) || !($willAuthenticate || $willBasicAuthenticate)) {
 $authBool =  true;
} else {
 $authBool = false;
}

if ($willAuthenticate || $willBasicAuthenticate) $lsg = null;

This is the class LoginSessionGenerator method handleLogin() in classes.inc.php:

  /**
   * Check for login status either through WWW Basic Authentication (if $willBasicAuthenticate is true) or via IP verification
   *
   * @access public
   */
  function handleLogin() {                                // VOID METHOD
      global $willBasicAuthenticate;
       if (!$this->isLoggedIn && $willBasicAuthenticate) $this->isLoggedIn = authenticate();
      if (!$this->isLoggedIn) {
       $this->validate();                                                          // SEE IF THEY HAVE ALREADY LOGGED IN
       if (!$this->isLoggedIn && !$this->cannotLogin) $this->check();                // CHECK TO SEE IF LOGIN PROCESS USER ENTERED IS VALID
       if (!$this->isLoggedIn && !$this->cannotLogin) $this->displayLoginHTML();    // DISPLAY LOGIN HTML INNER TEMPLATE VIEW
      }
  }

This is authenticate() in functions.inc.php:

/*--------------------------------------------------------------------------------------------
  This function will utilize the ability to use HTTP-based WWW
  Authentication, checking for the global authorized password against
  the password entered in the client project's CSV file.  Will not function
  unless this password exists.
  See [url]http://www.php.net/manual/en/features.http-auth.php[/url] for more
  info
---------------------------------------------------------------------------------------------*/
if (!function_exists('authenticate')) {            // FUTURISTIC: IN CASE AN "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE
function authenticate() {         global $username, $password, $projectFullName;
  if ($password && preg_match('/IIS/i', $_SERVER['SERVER_SOFTWARE']) && $_SERVER['HTTP_AUTHORIZATION']) {
   list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
   if ($user === $username && $pw === $password) return true;    // AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI
  }
  if ($_SERVER['PHP_AUTH_USER'] && $password &&
       $_SERVER['PHP_AUTH_USER'] === $username && $_SERVER['PHP_AUTH_PW'] === $password
       ) return true;
  if ($password) {
   header("WWW-Authenticate: Basic realm=\"$projectFullName\"");
      header('HTTP/1.0 401 Unauthorized');
     echo "You must enter a valid login ID and password to access the $projectFullName\n";
      exit;
  }
 }
}

Phil