?
Solved

unsetting $_server variables

Posted on 2004-04-28
11
Medium Priority
?
905 Views
Last Modified: 2008-03-10
i am using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] for user authentication, by the following code

if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="site"');
header('HTTP/1.1 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}

My issue is i cant unset the $_server variables, i have tried using unset(var_name) and setting them to null, but the vars still have their values any ideas???
0
Comment
Question by:dabaracus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 12

Expert Comment

by:Ivanov_G
ID: 10936795

   yep, I had the same problem ... I was not able  to change them .

   my solution was to modify my scripts to use $_SESSION....
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 10937691
I don't understand.

I don't have PHP as an apache module(admin perfers CGI - can't use HTTP Authentication), but I had no problem unset()ing $_SERVER['REMOTE_ADDR'], and changing it.

Can we see some code.      
0
 
LVL 10

Assisted Solution

by:eeBlueShadow
eeBlueShadow earned 500 total points
ID: 10937795
Once a user has identified themself in response to a 401, their browser will autoamtically remember the credentials it used to access the file and use them for the rest of the session. So, you can use unset($_SERVER['PHP_AUTH_USER']) but the browser won't 'forget' to send them again until it is closed.

If you really have to get round that, you'll need to go to the trouble of setting up a PHP based auth system, complete with sessions, databases and the like.

Sorry about that, but it's a common problem,
_Blue
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:dabaracus
ID: 10937853
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="HSD Support"');
header('HTTP/1.0 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}
require_once("dn_conn.php");
$pass = md5($_SERVER['PHP_AUTH_PW']);
$user = $_SERVER['PHP_AUTH_USER'];
$query = "SELECT * FROM user where `id` = '$user' AND `passwd` = '$pass'";
$result = mysql_query($query) or die("Query failed: " .mysql_error());
$rows = mysql_num_rows($result);
$auth = 0;
if($rows != 0)
{
      $line = mysql_fetch_object($result);
      $counter = count($allowed);

      for($i = 0; $i<$counter; $i++)
      {
            if($line->group == $allowed[$i])
            {
                  $auth = 1;
            }
      }
}
if($auth== 0)
{
    unset($_SERVER['PHP_AUTH_PW']);
    unset($_SERVER['PHP_AUTH_USER']);
    header('location: index.php');
}
?>

on the index page to test i have set to print these variables and they are still set
0
 
LVL 12

Expert Comment

by:Ivanov_G
ID: 10937934

   why don't you use $_SESSION instead of $_SERVER ...?!
0
 

Author Comment

by:dabaracus
ID: 10937986
i was asked not to use sessions by person who gave me this task
0
 
LVL 2

Accepted Solution

by:
Warble earned 500 total points
ID: 10940537
eeBlueShadow is correct, the browsers do store this information, PHP does not, so unsetting the variables works for that page load, but as soon as the next page is loaded, the browser automeatically resends the information, rendering your unset() useless.

From the PHP Manual:

"Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. "

This code:

header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');

should cause the browser in most cases (IE & Netscape) to clear the browser vars that store this information.

0
 
LVL 2

Expert Comment

by:ElForesto
ID: 10944416
Did the person that asked you to not use sessions have a real good reason for it? If not, I'd argue for scrapping that restriction as it makes your job significantly difficult. Unless they can point out a SIGNIFICANT technical reason to not use sessions, you should bring up the additional costs and development time of trying to work around that.
0
 

Author Comment

by:dabaracus
ID: 10946555
thanks guys i have sortted the issue
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 10948407
Re the item in the PHP manual:

Would that logout you mention, work for .htaccess 'login's as well
0
 
LVL 2

Expert Comment

by:Warble
ID: 10950384
Thanks for the points.

In reply to aolXFT: I don't see why not. Give it a try.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question