I think that the problem here is, that the unset of the
$_SERVER["PHP_AUTH_USER"] variable is not affecting the client's browser.
If you've got a directory protection, the browser needs a restart to show
the login dialog before.
I may be wrong because I'm using forms normally but the Authentification
cannot be reset so easily...
Am 10.06.2013, 22:28 Uhr, schrieb Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>:
Trying to learn how this works for a simple security need I have.
Nothing serious, hence this experiment.
My code:
if (!isset($_SERVER['PHP_AUTH_USER']))
{
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<h3>You have chosen not to signin<br><br>';
echo "Click <a href='/index.php'>here</a> to go back to the menu";
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
unset($_ENV['PHP_AUTH_USER']);
unset($_ENV['PHP_AUTH_PW']);
exit;
}
else
{
echo "checking creds<br>";
if ($_SERVER['PHP_AUTH_USER'] <> "validuser")
{
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
unset($_ENV['PHP_AUTH_USER']);
unset($_ENV['PHP_AUTH_PW']);
echo '<h3>You have entered invalid information.<br><br>';
echo "Click <a href='/index.php'>here</a> to go back to the menu";
exit();
}
}
(if we get here we have signed on)
(....continue on with script)
*******
My problem is trying to remove the invalid credentials (unsets) so that
when the user attempts to access the page again, the signin dialog gets
displayed. On my second attempt I always get the "invalid" path and
never get a chance to re-enter the credentials.
What am I missing (besides it's a lousy security solution)?
Can one NOT unset a SERVER variable? How does one get around that in
this case if so?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
