scubak1w1 wrote:
""Michael A. Peters"" <mpeters@xxxxxxx> wrote in message
news:49E41267.5010302@xxxxxxxxxx
scubak1w1 wrote:
I have a series of web sites which use https:// authentication (using AD
integration to 'check the credentials' as it were) - all seems to be
working well..
I have been Googling et al. for a way to log the user off the site
"fully"...
I can do a series of things on the server side per Dreamweaver's Server
Behaviour / User Authentication | Log Out User, etc - but the client's
browser cache (?) still keeps the credentials, and so ifthey return to
the site (say, with their back button) they can get right back in...
Sounds like you are not properly expiring the session.
The only login credentials that ever should be stored with the client is a
session id.
Expire the session id - and the session ID in their cookie becomes
completely meaningless.
OK, I will go back and reread...
My understanding was that SSL aka https was taking care of the credential
checking using, in our case, Active Directory user entries - and that PHP
was just grabbing the UID from that source - for instance, what I do is:
//grab the logged on user, depending on whether they logged on with the
domain prepended
if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0)
{
//the logon has a domain prepended before the 'actual' UID
list($logged_on_domain, $logged_on_user) = split('\\\\',
$_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server
variable/s, and split off the (presumed) "[domain]\" portion and essentially
discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped*
}
else
{
//no domain (assume) prepended before the back slash, so just the
'actual' UID
$logged_on_user = $_SERVER['REMOTE_USER'];
};
I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when
I return to the secure page the user's browser cache (?) has reset
$_SERVER['REMOTE_USER'] to be their previously logged on user name - so they
are still logged in...
So maybe my "logging off" question is not really PHP-specific? Hmmm....
I will go back and reread various pages (paper and online) with your
suggestion/s as the context - so thank you...
I don't know much about active directory but I thought one of the points
of AD was to eliminate the need for a user to log in since they are
already authenticated by the centralized AD system.
If you want to use active directory as the only user authentication
method then as long as the browser sends the credentials it will verify
and the user is logged in.
You could probably use password _in addition to_ active directory to
authenticate a php session, allowing you increased security over just a
session token (IE browser has to send valid php session AND active
directory credentials) but if you want a user to have to login in
addition to active directory credentials, use php sessions on your
server, and upon succesful login w/ proper AD credentials set a session
variable that says they are authenticated.
When they log out, unset the session variable that says they are logged
in and expire the session. Then regardless of their AD credentials, they
will have to log in again to be verified by the session system.
SSL doesn't do anything magic as far as user authentication is
concerned, it simply provides a public/private key encryption so that
(theoretically) only the browser can decrypt what the server sends and
only the server can decrypt what the browser sends.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
