Solved

unsetting $_server variables

Posted on 2004-04-28
11
890 Views
Last Modified: 2008-03-10
i am using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] for user authentication, by the following code

if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="site"');
header('HTTP/1.1 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}

My issue is i cant unset the $_server variables, i have tried using unset(var_name) and setting them to null, but the vars still have their values any ideas???
0
Comment
Question by:dabaracus
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 12

Expert Comment

by:Ivanov_G
ID: 10936795

   yep, I had the same problem ... I was not able  to change them .

   my solution was to modify my scripts to use $_SESSION....
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 10937691
I don't understand.

I don't have PHP as an apache module(admin perfers CGI - can't use HTTP Authentication), but I had no problem unset()ing $_SERVER['REMOTE_ADDR'], and changing it.

Can we see some code.      
0
 
LVL 10

Assisted Solution

by:eeBlueShadow
eeBlueShadow earned 125 total points
ID: 10937795
Once a user has identified themself in response to a 401, their browser will autoamtically remember the credentials it used to access the file and use them for the rest of the session. So, you can use unset($_SERVER['PHP_AUTH_USER']) but the browser won't 'forget' to send them again until it is closed.

If you really have to get round that, you'll need to go to the trouble of setting up a PHP based auth system, complete with sessions, databases and the like.

Sorry about that, but it's a common problem,
_Blue
0
 

Author Comment

by:dabaracus
ID: 10937853
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="HSD Support"');
header('HTTP/1.0 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}
require_once("dn_conn.php");
$pass = md5($_SERVER['PHP_AUTH_PW']);
$user = $_SERVER['PHP_AUTH_USER'];
$query = "SELECT * FROM user where `id` = '$user' AND `passwd` = '$pass'";
$result = mysql_query($query) or die("Query failed: " .mysql_error());
$rows = mysql_num_rows($result);
$auth = 0;
if($rows != 0)
{
      $line = mysql_fetch_object($result);
      $counter = count($allowed);

      for($i = 0; $i<$counter; $i++)
      {
            if($line->group == $allowed[$i])
            {
                  $auth = 1;
            }
      }
}
if($auth== 0)
{
    unset($_SERVER['PHP_AUTH_PW']);
    unset($_SERVER['PHP_AUTH_USER']);
    header('location: index.php');
}
?>

on the index page to test i have set to print these variables and they are still set
0
 
LVL 12

Expert Comment

by:Ivanov_G
ID: 10937934

   why don't you use $_SESSION instead of $_SERVER ...?!
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:dabaracus
ID: 10937986
i was asked not to use sessions by person who gave me this task
0
 
LVL 2

Accepted Solution

by:
Warble earned 125 total points
ID: 10940537
eeBlueShadow is correct, the browsers do store this information, PHP does not, so unsetting the variables works for that page load, but as soon as the next page is loaded, the browser automeatically resends the information, rendering your unset() useless.

From the PHP Manual:

"Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. "

This code:

header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');

should cause the browser in most cases (IE & Netscape) to clear the browser vars that store this information.

0
 
LVL 2

Expert Comment

by:ElForesto
ID: 10944416
Did the person that asked you to not use sessions have a real good reason for it? If not, I'd argue for scrapping that restriction as it makes your job significantly difficult. Unless they can point out a SIGNIFICANT technical reason to not use sessions, you should bring up the additional costs and development time of trying to work around that.
0
 

Author Comment

by:dabaracus
ID: 10946555
thanks guys i have sortted the issue
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 10948407
Re the item in the PHP manual:

Would that logout you mention, work for .htaccess 'login's as well
0
 
LVL 2

Expert Comment

by:Warble
ID: 10950384
Thanks for the points.

In reply to aolXFT: I don't see why not. Give it a try.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now