Realm Authentication

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
feamsr00
-


Joined: 04 Jun 2002
Posts: 138
Location: Phila PA

PostPosted: Wed Jun 05, 2002 5:38 am    Post subject: Realm Authentication Reply with quote

I am trying to make php emulate a secure realm in abyss.

Code:
<?php
   if (!isset($PHP_AUTH_USER))
   {
      // If empty, send header causing dialog box to appear
      header('WWW-Autheenticate: Basic realm="My Private Stuff"');
      header('HTTP/1.0 401 Unauthorized');
      echo 'Authorization Required.';
      exit;
   }

      // If not empty, display values for variables

   else
   {

      echo "
      <P>You have entered this username: $PHP_AUTH_USER<br>
      You have entered this password: $PHP_AUTH_PW<br>
      The authorization type is: $PHP_AUTH_TYPE</p>
      ";

   }

?>

However that produces:

Error 500
Internal Server Error

But if I strip it down to:

Code:
  header("WWW-Authenticate: " .
         "Basic realm=\"Protected Page: " .
         "Enter your username and password " .
         "for access.\"");
  header("HTTP/1.0 401 Unauthorized");
  // Display message if user cancels dialog
  ?>
  <HTML>
  <HEAD><TITLE>Authorization Failed</TITLE></HEAD>
  <BODY>
  <H1>Authorization Failed</H1>
  <P>Without a valid username and password,
     access to this page cannot be granted.
     Please click &#8216;reload&#8217; and enter a
     username and password when prompted.
  </P>
  </BODY>
  </HTML>

It still does not ask me to login, Is there anyway, php or other, to get user validation like:

Error 401
Unauthorized

(This is when no password is entered for console)

Are thier headers being sent that I can/can not change? Does abyss allow secure comunications? Can you help me make this work or is there some otherway way that Abyss supports secure communcations?
Back to top View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Wed Jun 05, 2002 7:10 pm    Post subject: Re: Realm Authentication Reply with quote

What was wrong with the two examples is the use of header("HTTP/1.0 401 Unauthorized"). You should use header("Status: 401 Unauthorized") to be fully compliant with the CGI specification and to allow the scripts to work (Error 500 was reported because you broke the rules of the specification).
Here is a fixed version of the first script which works (we have fixed also a typing error in WWW-Authenticate :-) ) :
Code:

<?php
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('Status: 401 Unauthorized');
echo 'Authorization Required.';
exit;
}

// If not empty, display values for variables

else
{

echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";

}

?>

_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
DLashley
-


Joined: 18 Dec 2002
Posts: 207
Location: New York, NY

PostPosted: Fri Dec 20, 2002 9:40 pm    Post subject: Re: Realm Authentication Reply with quote

aprelium wrote:
What was wrong with the two examples is the use of header("HTTP/1.0 401 Unauthorized"). You should use header("Status: 401 Unauthorized") to be fully compliant with the CGI specification and to allow the scripts to work (Error 500 was reported because you broke the rules of the specification).
Here is a fixed version of the first script which works (we have fixed also a typing error in WWW-Authenticate :-) ) :
Code:

<?php
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('Status: 401 Unauthorized');
echo 'Authorization Required.';
exit;
}

// If not empty, display values for variables

else
{

echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";

}

?>


PHP Newbie here. :wink: Can one of you kind people please explain what this script would be used for? Is this so that other folks can't run PHP scripts on my Abyss Web Server without Username & Password???

If so, how would this script be implemented on my Abyss Web Server??? Thanks in advance!
_________________
DLashley
Back to top View user's profile Send private message Visit poster's website
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sat Dec 21, 2002 1:39 am    Post subject: Re: Realm Authentication Reply with quote

DLashley wrote:

PHP Newbie here. :wink: Can one of you kind people please explain what this script would be used for? Is this so that other folks can't run PHP scripts on my Abyss Web Server without Username & Password???

If so, how would this script be implemented on my Abyss Web Server??? Thanks in advance!

This script instructs the web browser to ask the user for its name/password and then it will display them. This is just a small demo of how to make access control restriction using a scripting language.
If you want to simply restrict access to your scripts, you can use the web server "Access control" parameters to do that. Read http://www.aprelium.com/forum/viewtopic.php?t=544 for a tutorial.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
DLashley
-


Joined: 18 Dec 2002
Posts: 207
Location: New York, NY

PostPosted: Sat Dec 21, 2002 3:00 am    Post subject: Reply with quote

Ahhhh, I see. Ok, I already know how to create password-protected directories (I used the Abyss Console to create a password-protected directory for the directory where I installed "phpMyAdmin"), but I'm a bit unsure about protecting SCRIPTS.

Are you saying that you are using the Console's Access feature to protect a script that's on a specific page (example: "mailform.php" or "mailform.pl"), so that the page itself cannot be viewed from a browser???

Pardon my newbieness, but if this is what you're referring to, won't this keep some scripts from working? Sorry, but I'm a tad bit confused. Please clarify. Thanks in advance. :)
_________________
DLashley
Back to top View user's profile Send private message Visit poster's website
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sun Dec 22, 2002 3:33 pm    Post subject: Reply with quote

DlAshley, if you want to protect a script with a password, you can use the console for that. No problem!
The method described above is not for "newbies" (sorry.) It is for people who want to have full control on password protection and who want to implement their own mechanism for checking the identifty of the users (for example, they want to check it against a database.)
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
DLashley
-


Joined: 18 Dec 2002
Posts: 207
Location: New York, NY

PostPosted: Sun Dec 22, 2002 8:33 pm    Post subject: Reply with quote

aprelium wrote:
DLAshley, if you want to protect a script with a password, you can use the console for that. No problem!
The method described above is not for "newbies" (sorry.) It is for people who want to have full control on password protection and who want to implement their own mechanism for checking the identifty of the users (for example, they want to check it against a database.)


Thanks, Aprelium! That's a good way of explaining it. :)

So the setup would be to put that PHP code in the script itself, so that if some UNAUTHORIZED person tries to use it in any way, it asks them for AUTHENTICATION, and if they can't give it - the script doesn't run? If they give the correct information, it runs? Is that how that works?

If my understanding of the scenario is correct, that sounds like a good extra security measure to know about. Thanks for taking the time to explain it to the "newbie". :wink:
_________________
DLashley
Back to top View user's profile Send private message Visit poster's website
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Mon Dec 23, 2002 1:10 am    Post subject: Reply with quote

DLashley wrote:

So the setup would be to put that PHP code in the script itself, so that if some UNAUTHORIZED person tries to use it in any way, it asks them for AUTHENTICATION, and if they can't give it - the script doesn't run? If they give the correct information, it runs? Is that how that works?

If my understanding of the scenario is correct, that sounds like a good extra security measure to know about. Thanks for taking the time to explain it to the "newbie". :wink:

Yes, we can say that. But it works the same way as the password protection given by Abyss Web Server's console.
Our advice is to try the code above to understand how it works. Remember that it isn't really new. Any HTTP server that implements password protection uses that same technique and you can learn more about it in any good PHP book.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
DLashley
-


Joined: 18 Dec 2002
Posts: 207
Location: New York, NY

PostPosted: Tue Dec 24, 2002 2:49 am    Post subject: Reply with quote

I think I'll take your advice. Thanks again! :)
_________________
DLashley
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group