Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

0

ask about HTTP Auth ?

Started by joe, Mar 26 2007 07:51 AM

You cannot reply to this topic
Go to first unread post

2 replies to this topic

#1 joe

Young Padawan

Members
115 posts

Location:stuck in the middle of cyber space

Posted 26 March 2007 - 07:51 AM

I've been work with HTTP Auth for login to the restricted area...
This is my code...

<?php
 //File Name : HTTP_Auth_2.php
 ob_start();
 session_start();
 require "connect.php";
 
 if(!isset($_SERVER['PHP_AUTH_USER']))
 {
   auth();
   echo '<h1>Hacking Attemped</h1>';
   exit();
 }
 else
 {
   $username = addslashes(strip_tags($_SERVER['PHP_AUTH_USER']));
   $pass = addslashes(strip_tags($_SERVER['PHP_AUTH_PW']));
   
   $result = mysql_query("select * from user where name='$username' and pass='$pass'") or die(mysql_error());
   $data = mysql_fetch_array($result);
   if(($data[pass] == $pass) && ($data[name] == $username))
   {
	 session_register("username");
	 session_register("pass");
	 
	 $_SESSION['username'] = $username;
	 $_SESSION['pass'] = $pass;
	 
	 header("Location:home.php");
	 exit();
   }
   else
   {
	 auth();   
	 echo "Enter a valid username and password !!";
   }
 }
 
 function auth()
 {
   header('WWW-Authenticate: Basic realm="Restricted Area"');
   header('HTTP/1.0 401 Unauthorized');
 }
 
 ob_end_flush();
?>

<?php
 //File Name : logout.php
 ob_start();
 session_start();
 
 unset($_SESSION['username']);
 unset($_SESSION['pass']);
 session_destroy();
 
 header("Location:HTTP_Auth_2.php");
 
 ob_end_flush();
?>

Problem :
- Planning Algorithm : HTTP_Auth_2.php (redirect) -> home.php -> logout.php (redirect) -> HTTP_Auth_2.php
- Implementation Algorithm : HTTP_Auth_2.php -> home.php ->logout.php
on implementation, after i press link to logout.php, my browser doesn't want go to page HTTP_Auth_2.php.
It stop in page logout.php !! Why ??? And if i use a new tab but in the same window in Firefox, and then i access page HTTP_Auth_2.php, my browser directly go to the page home.php and bypass page HTTP_Auth_2.php !!
But, when i close that browser and start a new window, i go to page HTTP_Auth_2.php, it show me HTTP Auth...
I think the problem in session...
Pliz correct me...

Thanx for the answer and the respon...

best regards...
joe

Back to top

#2 rc69

PHP Master PD

P2L Staff
3,827 posts

Gender:Male
Location:Here
Interests:Web Development

Posted 29 March 2007 - 08:24 PM

<?php
//File Name : HTTP_Auth_2.php
session_start();
require 'connect.php';

function auth()
{
   header('WWW-Authenticate: Basic realm="Restricted Area"');
   header('HTTP/1.0 401 Unauthorized');
}

if(!isset($_SERVER['PHP_AUTH_USER']))
{
   auth();
   echo '<h1>Hacking Attemped</h1>';
   exit;
}
else
{
   $username = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
   $pass = mysql_real_escape_string($_SERVER['PHP_AUTH_PW']);
   
   $result = mysql_query("SELECT name,pass FROM user WHERE name='$username' AND pass='$pass'") or die(mysql_error());
   $data = mysql_fetch_assoc($result);
   if(($data['pass'] == $pass) && ($data['name'] == $username))
   {
	 session_register('username');
	 session_register('pass');
	 
	 $_SESSION['username'] = $username;
	 $_SESSION['pass'] = $pass;
	 
	 header("Location: ./home.php");
	 exit;
   }else{
	 auth();   
	 echo 'Enter a valid username and password!!';
   }
}
?>

<?php
//File Name : logout.php
session_start();

unset($_SESSION['username'], $_SESSION['pass'], $_SERVER['PHP_AUTH_USER']);
session_destroy();

header("Location: ./HTTP_Auth_2.php");
?>

First, you need to read up on some php standards, specifically Arrray do's and don'ts.

Secondly, i cleaned up the code a bit and hopefully fixed the problem with your logic. When you open a new tab without closing the window, isset($_SERVER['PHP_AUTH_USER']) returns true, so of course it would assume you logged in and skip to the next step. Sending it through unset() when you logout should fix this (theoretically).

The rest of you problems i don't quite understand, so if you could explain what ever is yet to be fixed a little better i may be able to help you better

Back to top

#3 joe

Young Padawan

Members
115 posts

Location:stuck in the middle of cyber space

Posted 31 March 2007 - 12:32 PM

rc69, on Mar 30 2007, 08:24 AM, said:

<?php
//File Name : HTTP_Auth_2.php
session_start();
require 'connect.php';

function auth()
{
   header('WWW-Authenticate: Basic realm="Restricted Area"');
   header('HTTP/1.0 401 Unauthorized');
}

if(!isset($_SERVER['PHP_AUTH_USER']))
{
   auth();
   echo '<h1>Hacking Attemped</h1>';
   exit;
}
else
{
   $username = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
   $pass = mysql_real_escape_string($_SERVER['PHP_AUTH_PW']);
   
   $result = mysql_query("SELECT name,pass FROM user WHERE name='$username' AND pass='$pass'") or die(mysql_error());
   $data = mysql_fetch_assoc($result);
   if(($data['pass'] == $pass) && ($data['name'] == $username))
   {
	 session_register('username');
	 session_register('pass');
	 
	 $_SESSION['username'] = $username;
	 $_SESSION['pass'] = $pass;
	 
	 header("Location: ./home.php");
	 exit;
   }else{
	 auth();   
	 echo 'Enter a valid username and password!!';
   }
}
?>

<?php
//File Name : logout.php
session_start();

unset($_SESSION['username'], $_SESSION['pass'], $_SERVER['PHP_AUTH_USER']);
session_destroy();

header("Location: ./HTTP_Auth_2.php");
?>

First, you need to read up on some php standards, specifically Arrray do's and don'ts.

Secondly, i cleaned up the code a bit and hopefully fixed the problem with your logic. When you open a new tab without closing the window, isset($_SERVER['PHP_AUTH_USER']) returns true, so of course it would assume you logged in and skip to the next step. Sending it through unset() when you logout should fix this (theoretically).

The rest of you problems i don't quite understand, so if you could explain what ever is yet to be fixed a little better i may be able to help you better

Thanx alot rc69 for ur correction in my programming...

Sorry rc69 for my bad explanation...

But totaly i understand and ur answers make me clear now...

I mean is : i login by HTTP_Auth_2.php and it send me to home.php and then i logout. And then i go to file HTTP_Auth_2.php, but browser didn't send me a HTTP Authentication and skip this stage (authentication by HTTP) and directly send me to file home.php
Why browser skip authentication process ?? but, when i run a new browser by clicking a shoutcut in dekstop and the i run file HTTP_Auth_2.php, browser didn't skip authentication process ??
Can this problem fixing ?? coz, theoretically authentication can be done...
Hope u don't confusing....

Second, should i use HTTP Authentication / i make a login form for log into restricted page ??? Coz, i want to prevent sniffing activity if i'm using login form... Mmmmm, by the way can sniffing activity get user username and password if i'm using HTTP Authentication ??

Thanx 4 your respon n anwers...
Best Regards...

Joe...

Back to top

Back to Programming and General Web Design · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users