[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 909
  • Last Modified:

unsetting $_server variables

i am using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] for user authentication, by the following code

if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="site"');
header('HTTP/1.1 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}

My issue is i cant unset the $_server variables, i have tried using unset(var_name) and setting them to null, but the vars still have their values any ideas???
0
dabaracus
Asked:
dabaracus
  • 3
  • 2
  • 2
  • +3
2 Solutions
 
Ivanov_GCommented:

   yep, I had the same problem ... I was not able  to change them .

   my solution was to modify my scripts to use $_SESSION....
0
 
aolXFTCommented:
I don't understand.

I don't have PHP as an apache module(admin perfers CGI - can't use HTTP Authentication), but I had no problem unset()ing $_SERVER['REMOTE_ADDR'], and changing it.

Can we see some code.      
0
 
eeBlueShadowCommented:
Once a user has identified themself in response to a 401, their browser will autoamtically remember the credentials it used to access the file and use them for the rest of the session. So, you can use unset($_SERVER['PHP_AUTH_USER']) but the browser won't 'forget' to send them again until it is closed.

If you really have to get round that, you'll need to go to the trouble of setting up a PHP based auth system, complete with sessions, databases and the like.

Sorry about that, but it's a common problem,
_Blue
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
dabaracusAuthor Commented:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="HSD Support"');
header('HTTP/1.0 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}
require_once("dn_conn.php");
$pass = md5($_SERVER['PHP_AUTH_PW']);
$user = $_SERVER['PHP_AUTH_USER'];
$query = "SELECT * FROM user where `id` = '$user' AND `passwd` = '$pass'";
$result = mysql_query($query) or die("Query failed: " .mysql_error());
$rows = mysql_num_rows($result);
$auth = 0;
if($rows != 0)
{
      $line = mysql_fetch_object($result);
      $counter = count($allowed);

      for($i = 0; $i<$counter; $i++)
      {
            if($line->group == $allowed[$i])
            {
                  $auth = 1;
            }
      }
}
if($auth== 0)
{
    unset($_SERVER['PHP_AUTH_PW']);
    unset($_SERVER['PHP_AUTH_USER']);
    header('location: index.php');
}
?>

on the index page to test i have set to print these variables and they are still set
0
 
Ivanov_GCommented:

   why don't you use $_SESSION instead of $_SERVER ...?!
0
 
dabaracusAuthor Commented:
i was asked not to use sessions by person who gave me this task
0
 
WarbleCommented:
eeBlueShadow is correct, the browsers do store this information, PHP does not, so unsetting the variables works for that page load, but as soon as the next page is loaded, the browser automeatically resends the information, rendering your unset() useless.

From the PHP Manual:

"Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. "

This code:

header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');

should cause the browser in most cases (IE & Netscape) to clear the browser vars that store this information.

0
 
ElForestoCommented:
Did the person that asked you to not use sessions have a real good reason for it? If not, I'd argue for scrapping that restriction as it makes your job significantly difficult. Unless they can point out a SIGNIFICANT technical reason to not use sessions, you should bring up the additional costs and development time of trying to work around that.
0
 
dabaracusAuthor Commented:
thanks guys i have sortted the issue
0
 
aolXFTCommented:
Re the item in the PHP manual:

Would that logout you mention, work for .htaccess 'login's as well
0
 
WarbleCommented:
Thanks for the points.

In reply to aolXFT: I don't see why not. Give it a try.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now