problem with http authentication in iis

Anon

so i've been trying to set up a database-based password protection scheme for this site i'm working on, and i've gotten seriously stuck.

i'm running php3 as a module on iis, and i've turned off the windows integration garbage on the folder i want secured. tacking the script below into an include used on all my pages seemed to do the trick, but that was in netscape 4.7. when i test the page in ie 5 and mozilla 0.9.6, i get tossed straight to the "Unauthorized" page without being prompted for a username/password ...

any idea what i'm missing?

tia.

now, that script:

if(!isset($PHP_AUTH_USER)) {
Header( "HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"Restricted\"");
}

else {

$query = "SELECT userID, username, password FROM accounts
WHERE password = '$PHP_AUTH_PW' AND username = '$PHP_AUTH_USER'";

$result = @($query)
or die($query_error);

									$num = mysql_numrows($result);

if ($num != "0") {

$row = mysql_fetch_array ($result);
$userID = $row["userID"];
$authenticated = "1";
echo $userID;
}
}

if(!$authenticated) {
header("WWW-Authenticate: Basic realm=\"Restricted\"");
header("Status: 401 Unauthorized");

exit;
}

meni0n

Hmm.. Did you consider using sessions? They're very easy to use and much better than the method above.

Anon

sessions, eh? i'll have to look a little more closely at that.

i was hoping to use http authentication because it'd be easier on my users ... i need this section of the site secured, as it's where the users can input and edit info into the database. i'd thought that authenticating through php would be an easy way of letting my users maintain their account information, identifying what information they've added (as opposed to information added by others), and at the same time restricting what information they have the ability to change. there may be some way i can work this with sessions (or by having some kind of cookied second login),
hadn't really investigated that angle (i didn't think php3 could handle sessions?).

regarding my code. it looks like the problem may lie in the "realm" identification. i noticed that when i do get the password popup, it's "for unknown".

weird.

thanks for the tip ...

meni0n

Hey,
sessions can be done with php. a quick example:

do a login script with forms then:

session_start();

database authentication

if check is good:

$verified_user= $name;
session_register('verified_user');
header("location: http://blah.php");

then on pages u want protected:

session_start();
if(session_is_registered('verified_user')) {

you code

}