View previous topic :: View next topic |
Author |
Message |
feamsr00 -
Joined: 04 Jun 2002 Posts: 138 Location: Phila PA
|
Posted: Wed Jun 05, 2002 5:38 am Post subject: Realm Authentication |
|
|
I am trying to make php emulate a secure realm in abyss.
Code: | <?php
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Autheenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
// If not empty, display values for variables
else
{
echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";
}
?> |
However that produces:
Error 500
Internal Server Error
But if I strip it down to:
Code: | header("WWW-Authenticate: " .
"Basic realm=\"Protected Page: " .
"Enter your username and password " .
"for access.\"");
header("HTTP/1.0 401 Unauthorized");
// Display message if user cancels dialog
?>
<HTML>
<HEAD><TITLE>Authorization Failed</TITLE></HEAD>
<BODY>
<H1>Authorization Failed</H1>
<P>Without a valid username and password,
access to this page cannot be granted.
Please click ‘reload’ and enter a
username and password when prompted.
</P>
</BODY>
</HTML> |
It still does not ask me to login, Is there anyway, php or other, to get user validation like:
Error 401
Unauthorized
(This is when no password is entered for console)
Are thier headers being sent that I can/can not change? Does abyss allow secure comunications? Can you help me make this work or is there some otherway way that Abyss supports secure communcations? |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Wed Jun 05, 2002 7:10 pm Post subject: Re: Realm Authentication |
|
|
What was wrong with the two examples is the use of header("HTTP/1.0 401 Unauthorized"). You should use header("Status: 401 Unauthorized") to be fully compliant with the CGI specification and to allow the scripts to work (Error 500 was reported because you broke the rules of the specification).
Here is a fixed version of the first script which works (we have fixed also a typing error in WWW-Authenticate :-) ) :
Code: |
<?php
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('Status: 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
// If not empty, display values for variables
else
{
echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";
}
?>
|
_________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Fri Dec 20, 2002 9:40 pm Post subject: Re: Realm Authentication |
|
|
aprelium wrote: | What was wrong with the two examples is the use of header("HTTP/1.0 401 Unauthorized"). You should use header("Status: 401 Unauthorized") to be fully compliant with the CGI specification and to allow the scripts to work (Error 500 was reported because you broke the rules of the specification).
Here is a fixed version of the first script which works (we have fixed also a typing error in WWW-Authenticate :-) ) :
Code: |
<?php
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('Status: 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
// If not empty, display values for variables
else
{
echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";
}
?>
|
|
PHP Newbie here. :wink: Can one of you kind people please explain what this script would be used for? Is this so that other folks can't run PHP scripts on my Abyss Web Server without Username & Password???
If so, how would this script be implemented on my Abyss Web Server??? Thanks in advance! _________________ DLashley |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Sat Dec 21, 2002 1:39 am Post subject: Re: Realm Authentication |
|
|
DLashley wrote: |
PHP Newbie here. :wink: Can one of you kind people please explain what this script would be used for? Is this so that other folks can't run PHP scripts on my Abyss Web Server without Username & Password???
If so, how would this script be implemented on my Abyss Web Server??? Thanks in advance! |
This script instructs the web browser to ask the user for its name/password and then it will display them. This is just a small demo of how to make access control restriction using a scripting language.
If you want to simply restrict access to your scripts, you can use the web server "Access control" parameters to do that. Read http://www.aprelium.com/forum/viewtopic.php?t=544 for a tutorial. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Sat Dec 21, 2002 3:00 am Post subject: |
|
|
Ahhhh, I see. Ok, I already know how to create password-protected directories (I used the Abyss Console to create a password-protected directory for the directory where I installed "phpMyAdmin"), but I'm a bit unsure about protecting SCRIPTS.
Are you saying that you are using the Console's Access feature to protect a script that's on a specific page (example: "mailform.php" or "mailform.pl"), so that the page itself cannot be viewed from a browser???
Pardon my newbieness, but if this is what you're referring to, won't this keep some scripts from working? Sorry, but I'm a tad bit confused. Please clarify. Thanks in advance. :) _________________ DLashley |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Sun Dec 22, 2002 3:33 pm Post subject: |
|
|
DlAshley, if you want to protect a script with a password, you can use the console for that. No problem!
The method described above is not for "newbies" (sorry.) It is for people who want to have full control on password protection and who want to implement their own mechanism for checking the identifty of the users (for example, they want to check it against a database.) _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Sun Dec 22, 2002 8:33 pm Post subject: |
|
|
aprelium wrote: | DLAshley, if you want to protect a script with a password, you can use the console for that. No problem!
The method described above is not for "newbies" (sorry.) It is for people who want to have full control on password protection and who want to implement their own mechanism for checking the identifty of the users (for example, they want to check it against a database.) |
Thanks, Aprelium! That's a good way of explaining it. :)
So the setup would be to put that PHP code in the script itself, so that if some UNAUTHORIZED person tries to use it in any way, it asks them for AUTHENTICATION, and if they can't give it - the script doesn't run? If they give the correct information, it runs? Is that how that works?
If my understanding of the scenario is correct, that sounds like a good extra security measure to know about. Thanks for taking the time to explain it to the "newbie". :wink: _________________ DLashley |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Mon Dec 23, 2002 1:10 am Post subject: |
|
|
DLashley wrote: |
So the setup would be to put that PHP code in the script itself, so that if some UNAUTHORIZED person tries to use it in any way, it asks them for AUTHENTICATION, and if they can't give it - the script doesn't run? If they give the correct information, it runs? Is that how that works?
If my understanding of the scenario is correct, that sounds like a good extra security measure to know about. Thanks for taking the time to explain it to the "newbie". :wink: |
Yes, we can say that. But it works the same way as the password protection given by Abyss Web Server's console.
Our advice is to try the code above to understand how it works. Remember that it isn't really new. Any HTTP server that implements password protection uses that same technique and you can learn more about it in any good PHP book. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Tue Dec 24, 2002 2:49 am Post subject: |
|
|
I think I'll take your advice. Thanks again! :) _________________ DLashley |
|
Back to top |
|
|
|