unsetting $_server variables

i am using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] for user authentication, by the following code

if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="site"');
header('HTTP/1.1 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}

My issue is i cant unset the $_server variables, i have tried using unset(var_name) and setting them to null, but the vars still have their values any ideas???
dabaracusAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
WarbleConnect With a Mentor Commented:
eeBlueShadow is correct, the browsers do store this information, PHP does not, so unsetting the variables works for that page load, but as soon as the next page is loaded, the browser automeatically resends the information, rendering your unset() useless.

From the PHP Manual:

"Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. "

This code:

header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');

should cause the browser in most cases (IE & Netscape) to clear the browser vars that store this information.

0
 
Ivanov_GCommented:

   yep, I had the same problem ... I was not able  to change them .

   my solution was to modify my scripts to use $_SESSION....
0
 
aolXFTCommented:
I don't understand.

I don't have PHP as an apache module(admin perfers CGI - can't use HTTP Authentication), but I had no problem unset()ing $_SERVER['REMOTE_ADDR'], and changing it.

Can we see some code.      
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
eeBlueShadowConnect With a Mentor Commented:
Once a user has identified themself in response to a 401, their browser will autoamtically remember the credentials it used to access the file and use them for the rest of the session. So, you can use unset($_SERVER['PHP_AUTH_USER']) but the browser won't 'forget' to send them again until it is closed.

If you really have to get round that, you'll need to go to the trouble of setting up a PHP based auth system, complete with sessions, databases and the like.

Sorry about that, but it's a common problem,
_Blue
0
 
dabaracusAuthor Commented:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="HSD Support"');
header('HTTP/1.0 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}
require_once("dn_conn.php");
$pass = md5($_SERVER['PHP_AUTH_PW']);
$user = $_SERVER['PHP_AUTH_USER'];
$query = "SELECT * FROM user where `id` = '$user' AND `passwd` = '$pass'";
$result = mysql_query($query) or die("Query failed: " .mysql_error());
$rows = mysql_num_rows($result);
$auth = 0;
if($rows != 0)
{
      $line = mysql_fetch_object($result);
      $counter = count($allowed);

      for($i = 0; $i<$counter; $i++)
      {
            if($line->group == $allowed[$i])
            {
                  $auth = 1;
            }
      }
}
if($auth== 0)
{
    unset($_SERVER['PHP_AUTH_PW']);
    unset($_SERVER['PHP_AUTH_USER']);
    header('location: index.php');
}
?>

on the index page to test i have set to print these variables and they are still set
0
 
Ivanov_GCommented:

   why don't you use $_SESSION instead of $_SERVER ...?!
0
 
dabaracusAuthor Commented:
i was asked not to use sessions by person who gave me this task
0
 
ElForestoCommented:
Did the person that asked you to not use sessions have a real good reason for it? If not, I'd argue for scrapping that restriction as it makes your job significantly difficult. Unless they can point out a SIGNIFICANT technical reason to not use sessions, you should bring up the additional costs and development time of trying to work around that.
0
 
dabaracusAuthor Commented:
thanks guys i have sortted the issue
0
 
aolXFTCommented:
Re the item in the PHP manual:

Would that logout you mention, work for .htaccess 'login's as well
0
 
WarbleCommented:
Thanks for the points.

In reply to aolXFT: I don't see why not. Give it a try.
0
All Courses

From novice to tech pro — start learning today.