1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 11:55 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

PHP Authentication Problem

         

jeffgman

4:00 am on Aug 24, 2004 (gmt 0)

10+ Year Member



Can somebody please tell me why this code is not working? The auth window comes up the first time I visit the page, but after I logout, when I go back, it does not pop up the window again. It still thinks I am logged in.

[PHP]
if($_GET['logout'] == "1") {
echo "You have been logged out, {$PHP_AUTH_USER}.";
unset($PHP_AUTH_USER);
unset($PHP_AUTH_PW);
//header("Location: [domain.com...]
echo "<BR><BR><A HREF=\"http://domain.com/\">Return To Intranet Homepage</A>";
exit;
}
if(!isset($PHP_AUTH_USER)) {
HEADER("WWW-authenticate: basic realm=\"restricted area\"");
HEADER( "HTTP/1.0 401 Unauthorized");
unset($PHP_AUTH_USER);
unset($PHP_AUTH_PW);
echo "You failed to provide the correct password...\n";
exit;
} else {
mysql_select_db("users");
$username = strtolower($PHP_AUTH_USER);
$result = mysql_query("SELECT * FROM users WHERE username = '$username'");
$row = mysql_fetch_array($result) or die(mysql_error());
$level=$row['level'];
$password=$row['password'];
if ($PHP_AUTH_PW!= $password) {
HEADER( "WWW-authenticate: basic realm=\"restricted area\"");
HEADER( "HTTP/1.0 401 Unauthorized");
echo "You failed to provide the correct password...\n";
exit;
}
}
?>
[/PHP]

And, then at the bottom of the page I have this

[PHP]
<A HREF="admin.php?logout=1">Logout</A>
[/PHP]

It tells me that I have logged out, but when I go back to the page, it does not bring up the window.

Thanks,
Jeff

httpwebwitch

4:37 am on Aug 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I used the same script (almost identical to yours) for authentication on a secure admin tool, and it does the same thing. Only if I close the browser and restart it am I asked to log in again. All I can guess is that the browser (IE) remembers its HTTP authentication identity even when you ask it not to, or
unset($PHP_AUTH_USER);
unset($PHP_AUTH_PW);
doesn't really do squat.

If you change the "Basic Realm", it will ask the user to log in again. Maybe a "logout" could create a new random key which is appended to the realm for the next login. But that's an annoyingly awkward solution, isn't it.

You could use Session authentication instead...

Netizen

8:52 am on Aug 24, 2004 (gmt 0)

10+ Year Member



According to the PHP manual [php.net]:

"Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button."

jeffgman

1:30 pm on Aug 24, 2004 (gmt 0)

10+ Year Member



I tried your suggestion with the 401 code, but it still does not work. Maybe I did the code incorrectly. Here is my new logout code:

if($_GET['logout'] == "1") {
HEADER("HTTP/1.0 401 Unauthorized");
echo "You have been logged out, {$PHP_AUTH_USER}.";
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
//header("Location: [domain.com...]
echo "<BR><BR><A HREF=\"http://domain.com/\">Return To Turner's Intranet Homepage</A>";
exit;
}

But, it still thinks I am logged in when I visit the page again after logout.

Jeff

httpwebwitch

6:21 pm on Aug 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



yup. I concur. Doesn't work.

quote: [serveriai.lt]

Testing with Lynx has shown that Lynx does not clear the authentication credentials with a 401 server response, so pressing back and then forward again will open the resource as long as the credential requirements haven't changed. The user can press the '_' key to clear their authentication information, however.

How weird is that.
Yes, let's require the user to press "_".?

Since HTTP Authentication relies on browser compliance, and since there are so many buggy browsers out there, it's essentially worthless. Let's boycott it.

Netizen

10:44 am on Aug 25, 2004 (gmt 0)

10+ Year Member



Never use it myself :-)

jeffgman

3:27 am on Aug 26, 2004 (gmt 0)

10+ Year Member



What do you use instead of http authentication? Sessions?

Jeff

jatar_k

4:12 am on Aug 26, 2004 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



sessions here, no problems.

I only use auth for internal tools.

coopster

12:14 pm on Aug 26, 2004 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



Ditto. Session handling [php.net] is going to be a valuable tool for you.

httpwebwitch

1:57 pm on Aug 26, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



yup. ever since my first few dozen failures with HTTP authentication, I've been using Session security for almost everything.

You could try soimething like this [pathtech.mirrors.phpclasses.org]

Once you have a good session management class, you just to create $auth, and do $auth->login(UID,PWD), $auth->display() or $auth->logout().

jeffgman

2:26 pm on Aug 31, 2004 (gmt 0)

10+ Year Member



Thank you for that webpage. I will look it over and give it a shot.

Jeff

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 11:55 pm Apr 28, 2026