[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
On Monday 12 Aug 2002 9:29 am, Steve Marvell wrote:
On Sat, Aug 10, 2002 at 08:10:48PM +0100, Neil Williams wrote:
If you switch to PHP / MySQL authorisation, it is possible to force a refresh of authority by manipulating the HTTP header directly.Erm, I'm not sure the switch is required. Since I can manipulte the headers directly using perl. All I want to do is know which header to manipulate.
headerS
PHP can manipulate the headers, the problem comes with the verification - a
problem shared with perl in this case. You'd have to write your own code to
access a file like .htaccess or hard-code usernames and passwords in the
script - unless you use something like MySQL.
header("WWW-Authenticate: Basic realm=\"my private pages\"");
header("HTTP/1.0 401 Unauthorized");
// only reached if authorisation fails
echo "Unauthorised";
exit;
The username entered is stored in $_SERVER['PHP_AUTH_USER'] and the password
is stored in $_SERVER['PHP_AUTH_PW']. Check these values to verify access.
(Should be done BEFORE the headers are output to prevent users being asked to
re-verify every time they load the page.)
To force re-entry, re-issue the headers (BOTH).
However, if it is merely an application level change, then it's not Basic Auth and probably has nothiung to do with the headers, other than custom ones, which some servers may not support.
It should work with Basic Auth without extensions, apart from PHP itself. Just remember that .htaccess cannot be used alongside this PHP code so neither can htpasswd and you need to invent some method of storing and verifying usernames and passwords.
There's a bit on this in the current LinuxFormat.Anyone got that kicking about?
From LXF31 Sept 2002, p88 - a snippet quoted above.
It won't work alongside .htaccess authorisation, and you must set up a customised MySQL database and connect to it via PHP.It doesn't sound like an Apache authentication handler then, it sounds like an appication level handler.
It is Apache, it causes a standard dialog to be shown and it is verified via standard Apache headers. It's just that .htaccess isn't used because the 'backend' of the authorisation has been hijacked by your PHP.
If it's Not all servers, particularly free ones, will have PHP let alone MySQL.Indeed. And not all programmers want to change from perl to PHP and Postgres to MySQL. :) Steve
You should be able to use perl to issue the same headers. Quite how the variables will be returned will be up to the perl environment and the method of verifying the username and password will, like PHP, have to be customised from scratch. -- Neil Williams ============= http://www.codehelp.co.uk neil@xxxxxxxxxxxxxx linux@xxxxxxxxxxxxxx neil@xxxxxxxxxxxx -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.