It is possible to use the header() function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER array. Only "Basic" and "Digest" authentication methods are supported. See the header() function for more information. An example script fragment which would force client authentication on a page is as follows: Example #1 Basic HTTP Authentication example
<?php Example #2 Digest HTTP Authentication example This example shows you how to implement a simple Digest HTTP authentication script. For more information read the » RFC 2617.
<?php if (empty( $_SERVER['PHP_AUTH_DIGEST'])) {header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); die( 'Text to send if user hits Cancel button');}// analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) die('Wrong Credentials!');// generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); if ( $data['response'] != $valid_response)die('Wrong Credentials!');// ok, valid username & password echo 'You are logged in as: ' . $data['username'];// function to parse the http auth header function http_digest_parse($txt) { // protect against missing data $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1); $data = array(); $keys = implode('|', array_keys($needed_parts));preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER); foreach ( $matches as $m) {$data[$m[1]] = $m[3] ? $m[3] : $m[4]; unset($needed_parts[$m[1]]); } return $needed_parts ? false : $data;} ?>
Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file. Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick for now.
Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server. Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. Example #3 HTTP Authentication example forcing a new name/password
<?php if (!isset( $_SERVER['PHP_AUTH_USER']) ||($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) { authenticate(); } else { echo "<p>Welcome: " . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "<br />"; echo "Old: " . htmlspecialchars($_REQUEST['OldAuth']); echo "<form action='' method='post'>\n"; echo "<input type='hidden' name='SeenBefore' value='1' />\n"; echo "<input type='hidden' name='OldAuth' value=\"" . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "\" />\n"; echo "<input type='submit' value='Re Authenticate' />\n"; echo "</form></p>\n"; } ?> This behavior is not required by the HTTP Basic authentication standard, so you should never depend on this. Testing with Lynx has shown that Lynx does not clear the authentication credentials with a 401 server response, so pressing back and then forward again will open the resource as long as the credential requirements haven't changed. The user can press the '_' key to clear their authentication information, however. In order to get HTTP Authentication to work using IIS server with the CGI version of PHP you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.
derkontrollfreak+9hy5l at gmail dot com ¶ 8 years ago Workaround for missing Authorization header under CGI/FastCGI Apache: SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header. kazakevichilya at gmail dot com ¶ 10 years ago In case of CGI/FastCGI you would hot be able to access PHP_AUTH* info because CGI protocol does not declare such variables (that is why their names start from PHP) and server would not pass them to the interpreter. In CGI server should authenticate user itself and pass REMOTE_USER to CGI script after it. So you need to "fetch" request headers and pass them to your script somehow. In apache you can do it via environment variables if mod_env is installed. Following construction in .htaccess copies request header "Authorization" to the env variable PHP_AUTH_DIGEST_RAW SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST_RAW=$1 You can now access it via $_ENV. Do not forget to strip auth type ("Digest" in my case) from your env variable because PHP_AUTH_DIGEST does not have it. If mod_env is not installed you probably have mod_rewrite (everyone has it because of "human readable URLs"). You can fetch header and pass it as GET parameter using rewrite rule: RewriteRule ^.*$ site.php?PHP_AUTH_DIGEST_RAW=%{HTTP:Authorization} [NC,L] Here HTTP request header Authorization would be acessible as PHP_AUTH_DIGEST_RAW via $_GET. --- It takes Authorization info using "Zend_Controller_Request::getHeader" webmaster at kratia dot com ¶ 15 years ago This is the simplest form I found to do a Basic authorization with retries. <?php $valid_passwords = array ("mario" => "carbonell");$valid_users = array_keys($valid_passwords);$user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW'];$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]); if (! $validated) {header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); die ("Not authorized"); }// If arrives here, is a valid user. echo "<p>Welcome $user.</p>"; echo "<p>Congratulation, you are into the system.</p>";?> jake22 at gmail dot com ¶ 6 years ago I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity. Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution: Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as: http://velocitypress.ca/some_dir/login.php/auth/8f631b92/ By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again. Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website. Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory. Yuriy ¶ 13 years ago
Good day. Carlos ¶ 4 years ago Simpler WorkAround for missing Authorization header under CGI/FastCGI available in Apache HTTP Server 2.4.13 and later CGIPassAuth On Please don't enable Authorization header with Basic Authentication, is very insecure. john_2232 at gmail dot com ¶ 6 years ago
Here is my attempt to create a digest authentication class that will log the user in and out without using a cookie,session,db,or file. At the core is this simple code to parse the digest string into variables works for several browsers. return $parts;} ?> Give it a try at http://www.creativetheory.ca/ /tests/ta1.php Log in with user test password pass or user guest password guest. Go to page two for links to the code. Comments, ideas, suggestions, or critique welcome. bitman at bitworks dot de ¶ 1 year ago the alternative text should contain the complete text af a (small) valid HTML-Ressource. It also can contain link relations to CSS. Louis ¶ 16 years ago
I couldn't get authentication to work properly with any of the examples. Finally, I started from ZEND's tutorial example at: I spent the better part of a day getting this to work right. I had a very hard time thinking through what the browser does when it encounters an authentication request: seems to me that it tries to get the password, then reloads the page... so the HTML doesn't get run. At least, this was the case with IE, I haven't tested it with anything else. <?php if ( $_POST['logout'] == "logout") {session_destroy() ; header('Location: comeagain.php'); exit ; }// "standard" authentication code here, from the ZEND tutorial above.comeagain.php is as follows: <? session_start();unset($_SESSION['realm']); session_destroy(); echo "<html><head><title>Logged Out</title><h2>Logout Page</h2><body>" ; echo "You have successfully logged out of TOGEN"; echo " at ".date("h:m:s")." on ".date("d F Y") ; echo "<p><a href=\"index.php\">Login Again</a>" ; echo "</body></html>" ; ?> The idea is to be able to trash the session (and thus reset the realm) without prompting the browser to ask again... because it has been redirected to logout.php. With this combination, I get things to work. Just make sure not to have apache run htpasswd authentication at the same time, then things get really weird :-). Ome Ko ¶ 12 years ago a link to http://logout:logout@<?=$_SERVER['HTTP_HOST'];?>/SECRET/ would force a fresh login for the /SECRET directory if no user logout with password logout exists. [NOTE BY danbrown AT php DOT net: The following note was added by "Anonymous" on 01-APR-2010 (though we presume it's not an April Fool's Day joke).]
this logout method does not work 100% anymore, because of another bulls**t from M$:
Anonymous ¶ 12 years ago The regex in http_digest_parse from Example #2 does not work for me (PHP 5.2.6), because back references are not allowed in a character class. This worked for me: <?php// function to parse the http auth header foreach ( $matches as $m) {$data[$m[1]] = $m[2] ? $m[2] : ($m[3] ? $m[3] : $m[4]); unset($needed_parts[$m[1]]); } return $needed_parts ? false : $data;}?> admin at isprohosting dot com ¶ 15 years ago There are .htaccess which actually works for us (cPanel + phpsuexec) unless others failed. Perhaps it may help someone. # PHP (CGI mode) HTTP Authorization with ModRewrite: Then you need small piece of php code to parse this line and then everything will work like with mod_php: if (isset($_SERVER['HTTP_AUTHORIZATION'])) Enjoy! Nicolas Merlet - admin(at)merletn.org ¶ 15 years ago Be careful using http digest authentication (see above, example 34.2) if you have to use the 'setlocale' function *before* validating response with the 'http_digest_parse' function, because there's a conflict with \w in the pattern of 'preg_match_all' function : In fact, as \w is supposed to be any letter or digit or the underscore character, you must not forgot that this may vary depending on your locale configuration (eg. it accepts accented letters in french)... Due to this different pattern interpretation by the 'preg_match_all' function, the 'http_digest_parse' function will always return a false result if you have modified your locale (I mean if your locale accepts some extended characters, see http://fr.php.net/manual/en/reference.pcre.pattern.syntax.php for further information). IMHO, I suggest you not to use setlocale before having your authentication completed... PS : Here's a non-compatible setlocale declaration... xsanychx at mail dot ru ¶ 9 years ago New auth:
<?php
if(( $_SERVER['PHP_AUTH_PW']!= $pass || $_SERVER['PHP_AUTH_USER'] != $login)|| !$_SERVER['PHP_AUTH_USER']){ header('WWW-Authenticate: Basic realm="Test auth"'); header('HTTP/1.0 401 Unauthorized'); echo 'Auth failed'; exit; } ?> gbelyh at gmail dot com ¶ 15 years ago Back to the autherisation in CGI mode. this is the full working example: # Create the .htaccess file with following contents: # In the beginning the script checking the authorization place the code: $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ; $userpass = explode(":", $userpass); if ( count($userpass) == 2 ){ } Robb_Bean at gmx dot net ¶ 8 years ago In the german example #2 (digest), the <?php $realm = "Geschützter Bereich"; ?>. As far as I have tested the umlaut ü is problematic, resulting in an password enter infinity loop. In my case it was written in UTF-8. So I suggest using only plain ASCII characters for the realm. vog at notjusthosting dot com ¶ 10 years ago You shouldn't use the "last" ("L") directive in the RewriteRule! This will prevent all further rewrite rules to be skipped whenever a Basic or Digest Auth is given, which is almost certainly not what you want. So the following lines are sufficient for the .htaccess (or httpd.conf) file: RewriteEngine On charly at towebs dot com ¶ 17 years ago
A simpler approach on the post of: This is another "patch" to the PHP_AUTH_USER and PHP_AUTH_PW server variables problem running PHP as a CGI. First of all don't forget this fragment of code in your .htaccess (it's the only thing you need to make it work with mod_rewrite): <IfModule mod_rewrite.c> Then login.php <?php } echo 'PHP_AUTH_USER =' . $_SERVER['PHP_AUTH_USER'] . '<br>';echo 'PHP_AUTH_PW =' . $_SERVER['PHP_AUTH_PW'] . '<br>'; echo 'REMOTE_USER =' . $_SERVER['REMOTE_USER'] . '<br>'; ?> First, we decode the base64 encoded string discarding the first 6 characters of "Basic " and then we do a regular validation. At the end of the script we print the variables to verify it's working. This should be ommited in the production version. It's a variation of the script by Bernard Paques. roychri at php dot net ¶ 15 years ago For PHP with CGI, make sure you put the rewrite rule above any other rewrite rule you might have. In my case, I put this at the top of the .htaccess (below RewriteEngine On): My symptom was that the REMOTE_USER (or REDIRECT_REMOTE_USER in my case) was not being set at all. SlamJam ¶ 15 years ago I used Louis example (03-Jun-2006) and it works well for me (thanks). However, I added some lines, to make sure, the user does only get the Authentification-Window a few times:
<?php
<?php
// Not more than 3 Trials
spam at angstzustaen dot de ¶ 1 year ago
public function loginUser(){ if (password_verify($pw,$row['pw'])){ $this->isLogin(); } A short example for an user Login ceo at l-i-e dot com ¶ 11 years ago To force a logout with Basic Auth, you can change the Realm out from under them to a different Realm. This forces a new set of credentials for a new "Realm" on your server. You just need to track the Realm name with the user/pass and change it around to something new/random as they log in and out. I believe that this is the only 100% guaranteed way to get a logout in HTTP Basic Auth, and if it were part of the docs a whole lot of BAD user-contributed comments here could be deleted. emmanuel dot keller at net2000 dot ch ¶ 19 years ago Some servers won't support the HTTP1.0 specification and will give an error 500 (for instance). This happened with a server where I uploaded an authentication script. If it happens, you can try the HTTP1.1 header syntax :
<?php
dan223 at gmail dot com ¶ 6 years ago A simple script for SSL Client Certificate authentication with a basic authentication fall-back. I use this on my site using LDAP server to check username/passwords and client certificate to user mapping. <? if ($_SERVER['SSL_CLIENT_S_DN_CN'] != "chris") { // Check CN name of cert if (!(($_SERVER['PHP_AUTH_USER'] == "test") && ($_SERVER['PHP_AUTH_PW'] == "123"))) { // Check username and password phpinfo(); // Call authentication display See my website (http://velocitypress.ca/index.php?page=/manuals/) for more details on client certificate with Apache and PHP. sergio dot carvalho at gmail dot com ¶ 7 years ago The only effective way I've found to wipe out the PHP_AUTH_DIGEST or PHP_AUTH_USER AND PHP_AUTH_PW credentials is to call the header HTTP/1.1 401 Unauthorized. function clear_admin_access(){ Lars Stecken ¶ 14 years ago To anybody who tried the digest example above and didn't get it to work. For me the problem seemed to be the deprecated use of '\' (backslash) in the regex instead of the '$' (Dollar) to indicate a backreference. Also the results have to be trimmed off the remaining double and single quotes. Here's the working example: // function to parse the http auth header // protect against missing data preg_match_all('@(\w+)=(?:([\'"])([^$2]+)$2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER); foreach ($matches as $m) { return $needed_parts ? false : $data; Probably there's a more sophisticated way to trim the quotes within the regex, but I couldn't be bothered :-) Greets, Lars sjeffrey at inquesis dot com ¶ 20 years ago To get it to work with IIS try using this code before setting your "$auth = 0" and the "if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW))"
<?php
patrick dot moire at socopa dot fr ¶ 2 years ago Samples Login / Logout script login.php : <?php// Initisalition // Mot de passe incorecte : demande identification } else {setcookie("SESSION", '', 1,'/'); header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); die; }?> <html> <body > Bonjour <?php echo $ident['NOM'].' '.$ident['PRENOM']; ?> logout.php : <?php h3ndrik ¶ 10 years ago On my configuration with php-cgi - after setting the RewriteRule - the correct variable would be: $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] So the workaround for PhpCGI is: RewriteEngine on Php workaround: Ollie L ¶ 11 years ago I tried example 7, and at first I couldn't get it to work. It took me a while to spot that somewhere along the line, probably by the server, a seemingly random number was being added to the realm - so the valid_result variable wasn't calculated using the correct realm. To get around this, or any similar problems, make the following changes to the example: Around line 43 (44 if after next step ;) ): Before line 24: These two steps get the real realm used for the authentication request, and substitute it into the "valid_response" query. Hope this helps :) najprogramato at post dot sk ¶ 18 years ago Don't use apache authentification in plain text. Is more better to use own script to generete new ID which is relevant to password. Apache auth data are sent to every page, so the posible mistake are known. djreficul at yahoo dot com ¶ 16 years ago Well, I think it's easy to make authentification works correctly. I use a session var to force authentication everytime a user visit the logging area. <?php marco dot moser at oltrefersina dot it ¶ 16 years ago I suggest to demand user's authentication and management to the web server (by .htaccess, ...): 1. configure a global /logon/ directory with a .htaccess file restricted access 2. use fopen wrapper: $hh = @fopen("http://{$_SERVER['PHP_AUTH_USER']}:{$_SERVER['PHP_AUTH_PW']}". snagnever at gmail dot com ¶ 17 years ago
It forces a auth each time the page is accessed: <? function http_auth() if( !isset($_SERVER['PHP_AUTH_USER']) or @$_SESSION['AUTH'] != 1 ) // Actions do be done when the user has logged // rest, must clean the session array jason ¶ 18 years ago on the php+mysql auth code by tigran at freenet dot am There are some security weaknesses. First are both insecure, they could leave this code open to SQL injection, you should always remove invalid characters in both, or at least encode them. Actually storing passwords as MD5 hashes leaves you less work to secure. Second security risks Third items is more of a performance issue, Do you really need to update the database, as updates are slower then selects, and if you do them every time they access the page, you are costing some speed penalty. One option, if you want to use sql (I think mysql has it) is memory only databases, and create a table within memory, the stores a unique session identifier for each user, that is logged in, or alternatively if it's a single front end system, you could use db files. kembl at example dot com ¶ 16 years ago
# PHP (CGI mode) HTTP Authorization with ModRewrite: nuno at mail dot ideianet dot pt ¶ 18 years ago
In Windows 2003 Server/IIS6 with the php4+ cgi I only get HTTP authentication working with: rob at theblip dot com ¶ 18 years ago Regarding HTTP authentication in IIS with the php cgi 4.3.4, there's one more step. I searched mightily and didn't find this information anywhere else, so here goes. When using HTTP auth with the php CGI, you need to do the following things: 1. In your php.ini file, set "cgi.rfc2616_headers = 0" 2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the "Anonymous access" checkbox and uncheck any other checkboxes (i.e. uncheck "Basic authentication," "Integrated Windows authentication," and "Digest" if it's enabled.) Click OK. 3. In "Custom Errors", select the range of "401;1" through "401;5" and click the "Set to Default" button. It's this last step that is crucial, yet not documented anywhere. If you don't, instead of the headers asking for credentials, IIS will return its own fancy but useless 'you are not authenticated' page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER['PHP_AUTH_*'] elements. s dot i dot g at gmx dot com ¶ 12 years ago
<?php// try to mimic cpanel logout style if(isset( $_GET['logout'])){ unset($_SESSION["login"]); echo "You have logout ... "; echo "[<a href='" . $_SERVER['PHP_SELF'] . "'>Login</a>]"; exit; } if (!isset( $_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($_SESSION["login"])){ header("WWW-Authenticate: Basic realm=\"Test\""); header("HTTP/1.0 401 Unauthorized"); $_SESSION["login"] = true; echo "You are unauthorized ... "; echo "[<a href='" . $_SERVER['PHP_SELF'] . "'>Login</a>]"; exit; } else { if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password) { echo "You have logged in ... "; echo "[<a href='" . $_SERVER['PHP_SELF'] . "?logout'>Logout</a>]"; } else { unset($_SESSION["login"]); header("Location: " . $_SERVER['PHP_SELF']); } }// content here?> idbobby at rambler dot ru ¶ 12 years ago
First of all, sorry for my English. index.php <?php $auth_realm = 'My realm';require_once 'auth.php';echo "You've logged in as {$_SESSION['username']}<br>";echo '<p><a href="?action=logOut">LogOut</a></p>'?> auth.php -------- <?php $_user_ = 'test';$_password_ = 'test';session_start();$url_action = (empty($_REQUEST['action'])) ? 'logIn' : $_REQUEST['action']; $auth_realm = (isset($auth_realm)) ? $auth_realm : ''; if (isset( $url_action)) {if (is_callable($url_action)) { call_user_func($url_action); } else { echo 'Function does not exist, request terminated'; }; }; function logIn() {global $auth_realm; if (!isset( $_SESSION['username'])) {if (!isset($_SESSION['login'])) { $_SESSION['login'] = TRUE; header('WWW-Authenticate: Basic realm="'.$auth_realm.'"'); header('HTTP/1.0 401 Unauthorized'); echo 'You must enter a valid login and password'; echo '<p><a href="?action=logOut">Try again</a></p>'; exit; } else { $user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : ''; $password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''; $result = authenticate($user, $password); if ($result == 0) { $_SESSION['username'] = $user; } else { session_unset($_SESSION['login']); errMes($result); echo '<p><a href="">Try again</a></p>'; exit; }; }; }; } function authenticate($user, $password) {global $_user_; global $_password_; if (( $user == $_user_)&&($password == $_password_)) { return 0; }else { return 1; }; } function errMes($errno) {switch ($errno) { case 0: break; case 1: echo 'The username or password you entered is incorrect'; break; default: echo 'Unknown error'; }; } function logOut() {session_destroy();if (isset($_SESSION['username'])) { session_unset($_SESSION['username']); echo "You've successfully logged out<br>"; echo '<p><a href="?action=logIn">LogIn</a></p>'; } else { header("Location: ?action=logIn", TRUE, 301); }; if (isset($_SESSION['login'])) { session_unset($_SESSION['login']); }; exit; }?> web at kwi dot dk ¶ 16 years ago While Digest authentication is still far superior to Basic authentication, there are a number of security issues that one must keep in mind. In this respect, the Digest example given above is somewhat flawed, because the nonce never times out or otherwise become invalid. It thus becomes a password-equivalent (although to that specific URL only) and can be used by an eavesdropper to fetch the page at any time in the future, thus allowing the attacker to always access the latest version of the page, or (much worse) repeatedly invoke a CGI script -- for instance, if the user requests the URL "/filemanager?delete=somefile", the attacker can repeat this deletion at any point in the future, possibly after the file has been recreated. And while it might not be possible to change GET data without reauthentication, cookies and POST data *can* be changed. To protect against the first problem, the nonce can be made to include a timestamp, and a check added to ensure that nonces older than e.g. 30 minutes result in a new authentication request. To solve the second problem, a one-time only nonce needs to be generated -- that is, all further requests using a particular nonce must be refused. One way to do this: When the user requests an action such as "deletefile", store a randomly generated nonce in a session variable, issue a 401 authentication challenge with that nonce, and then check against the stored value when receiving the authentication (and clear the session variable). This way, although a possible eavesdropper receives the nonce and thus gains the ability to perform the action, he can only perform it once -- and the user was going to perform it anyway. (Only the user or the attacker, but not both, gets to perform the action, so it's safe.) Of course, at some point, the security can only be improved by switching to HTTPS / SSL / TLS (this is for instance the only way to defend against man-in-the-middle attacks). You decide the level of security. siberion at hotmail dot com ¶ 17 years ago I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity. Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution: Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as: http://www.example.com/some_dir/login.php/auth/8f631b92/ By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again. Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website. Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory. Hope this helps somebody. Paul ¶ 18 years ago Here is a extremely easy way to successfully logout.
<?php
steuber at aego dot de ¶ 18 years ago Quite a good solution for the logout problem: Just tell browser that it is successfully logged in! So the browser remembers no password as a valid password. Example: <?php Whatabrain ¶ 15 years ago
Back to the problem of authenticating in CGI mode... mcbethh suggested using this to set a local variable in php: It didn't work. I couldn't see the variable. My solution is pretty round-about, but it works: RewriteEngine on This causes the Auth string to be added to the URL if there are no parameters and it's a GET request. This prevents POSTs and parameter lists from being corrupted. Then, in the PHP script, I store the Auth string as a session cookie. So the only way to log in to my script is to go to the url with no parameters. |