Quoting Rory Browne <rory.browne@xxxxxxxxx>:
I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access.
I think you're talking about the user logging on once through a web page and carrying that authentication throughout. We're (or *I* am, at least) talking about the user logging on to the network (LDAP or, in my case, Active Directory) and using those credentials for the web applications.
Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
