D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT apache Q



On Monday 12 Aug 2002 9:29 am, Steve Marvell wrote:
On Sat, Aug 10, 2002 at 08:10:48PM +0100, Neil Williams wrote:

If you switch to PHP / MySQL authorisation, it is possible to force a
refresh of authority by manipulating the HTTP header directly.

Erm, I'm not sure the switch is required. Since I can manipulte the
headers directly using perl. All I want to do is know which header to
manipulate.

headerS

PHP can manipulate the headers, the problem comes with the verification - a 
problem shared with perl in this case. You'd have to write your own code to 
access a file like .htaccess or hard-code usernames and passwords in the 
script - unless you use something like MySQL.

header("WWW-Authenticate: Basic realm=\"my private pages\"");
header("HTTP/1.0 401 Unauthorized");

// only reached if authorisation fails
echo "Unauthorised";
exit;

The username entered is stored in $_SERVER['PHP_AUTH_USER'] and the password 
is stored in $_SERVER['PHP_AUTH_PW']. Check these values to verify access. 
(Should be done BEFORE the headers are output to prevent users being asked to 
re-verify every time they load the page.)

To force re-entry, re-issue the headers (BOTH).

However, if it is merely an application level change, then it's not
Basic Auth and probably has nothiung to do with the headers, other
than custom ones, which some servers may not support.

It should work with Basic Auth without extensions, apart from PHP itself. 
Just remember that .htaccess cannot be used alongside this PHP code so 
neither can htpasswd and you need to invent some method of storing and 
verifying usernames and passwords.


There's a bit on this in the current LinuxFormat.

Anyone got that kicking about?

From LXF31 Sept 2002, p88 - a snippet quoted above.

It won't work alongside .htaccess authorisation, and you must set up
a customised MySQL database and connect to it via PHP.

It doesn't sound like an Apache authentication handler then, it sounds
like an appication level handler.

It is Apache, it causes a standard dialog to be shown and it is verified via 
standard Apache headers. It's just that .htaccess isn't used because the 
'backend' of the authorisation has been hijacked by your PHP.

If it's Not all servers, particularly free ones, will have PHP let
alone MySQL.

Indeed. And not all programmers want to change from perl to PHP and
Postgres to MySQL. :)

Steve

You should be able to use perl to issue the same headers. Quite how the 
variables will be returned will be up to the perl environment and the method 
of verifying the username and password will, like PHP, have to be customised 
from scratch.

-- 

Neil Williams
=============
http://www.codehelp.co.uk
neil@xxxxxxxxxxxxxx
linux@xxxxxxxxxxxxxx
neil@xxxxxxxxxxxx


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly