David BERCOT wrote:
Hi,
I use this program to force a user to authenticate :
if (!isset($_SERVER["PHP_AUTH_USER"])) {
header("WWW-Authenticate: Basic realm=\"Intranet SDSED\"");
header("HTTP/1.1 401 Unauthorized");
}
Everything is ok except a detail : if the user makes a mistake (for
example, a bad password), the variable $_SERVER["PHP_AUTH_USER"] is
initialised.
So, if he wants to do again the above test, another identification won't
happen (because $_SERVER["PHP_AUTH_USER"] is already set).
I've tried :
$_SERVER["PHP_AUTH_USER"] = NULL;
without succes...
Do you have a clue ?
there is also $_SERVER["PHP_AUTH_PWD"] which you can check.
and rather than just checking whether $_SERVER["PHP_AUTH_USER"] is set
why not also check that the contained value is something valid?
you can start by checking that $_SERVER["PHP_AUTH_USER"] is not empty:
if (!isset($_SERVER["PHP_AUTH_USER"]) || empty($_SERVER["PHP_AUTH_USER"])) {
// send headers
}
or (pseudocode):
if (!isset($_SERVER["PHP_AUTH_USER"])
|| empty($_SERVER["PHP_AUTH_USER"])
|| !isValidUserName($_SERVER["PHP_AUTH_USER"]))
{
// send headers
}
Thank you very much.
David.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
