""Michael A. Peters"" <mpeters@xxxxxxx> wrote in message news:49E4D4CA.7060903@xxxxxxxxxx > scubak1w1 wrote: >> ""Michael A. Peters"" <mpeters@xxxxxxx> wrote in message >> news:49E41267.5010302@xxxxxxxxxx >>> scubak1w1 wrote: >>>> I have a series of web sites which use https:// authentication (using >>>> AD integration to 'check the credentials' as it were) - all seems to be >>>> working well.. [snip] > > I don't know much about active directory but I thought one of the points > of AD was to eliminate the need for a user to log in since they are > already authenticated by the centralized AD system. Thanks Micheal for helping me clarify the situation, I appreciate your expertise... and sorry for the delay in replying, it has been a busy week so far! <smile> I am usings AD, as mentioned and as you probably inferred, so I don't have to sync credentials on "my" system with the 500± users in the AD... (i.e., when someone leaves the company, new hires, password changes, etc, etc) > If you want to use active directory as the only user authentication method > then as long as the browser sends the credentials it will verify and the > user is logged in. Yep, that is it - not forgetting that users may use the intranet site from the company internet site on PCs not logged on to the network... > You could probably use password _in addition to_ active directory to > authenticate a php session, allowing you increased security over just a > session token (IE browser has to send valid php session AND active > directory credentials) but if you want a user to have to login in addition > to active directory credentials, use php sessions on your server, and upon > succesful login w/ proper AD credentials set a session variable that says > they are authenticated. OK, that is where I am at now... glad to see I am following 'standard procedure' <grin> > When they log out, unset the session variable that says they are logged in > and expire the session. Then regardless of their AD credentials, they will > have to log in again to be verified by the session system. Now HERE is where I think I have having the issues... I can use PHP to log them off my site, server side, and hence "demand" to see their AD credentials again... BUT from my reading and understanding, the browser is caching this info - and so when it "sees" the request for AD credentials it says "oh, I have those from a few minutes ago, here you go..." (i.e., the same browser session on the clients side if they haven't closed their browser in the meantime...), thereby relogging them on server side - but I > SSL doesn't do anything magic as far as user authentication is concerned, > it simply provides a public/private key encryption so that (theoretically) > only the browser can decrypt what the server sends and only the server can > decrypt what the browser sends. That distinction is useful to know / be reminded about, thank you - since IIS integrates SSL and AD transparently to me as a non-IT-admin person, I guess I was not making that distinction clearly enough... So (assuming I have this right) is there a way to have PHP clear the user's browser cache of the appropiate AD credentials if the user is in the same browser session and then move to, say, www.google.com? Or should I be looking at some JS? Or expending my efforts on other 'projects'? <smile> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
