Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

unsetting $_server variables

Posted on 2004-04-28
11
896 Views
Last Modified: 2008-03-10
i am using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] for user authentication, by the following code

if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="site"');
header('HTTP/1.1 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}

My issue is i cant unset the $_server variables, i have tried using unset(var_name) and setting them to null, but the vars still have their values any ideas???
0
Comment
Question by:dabaracus
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 12

Expert Comment

by:Ivanov_G
ID: 10936795

   yep, I had the same problem ... I was not able  to change them .

   my solution was to modify my scripts to use $_SESSION....
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 10937691
I don't understand.

I don't have PHP as an apache module(admin perfers CGI - can't use HTTP Authentication), but I had no problem unset()ing $_SERVER['REMOTE_ADDR'], and changing it.

Can we see some code.      
0
 
LVL 10

Assisted Solution

by:eeBlueShadow
eeBlueShadow earned 125 total points
ID: 10937795
Once a user has identified themself in response to a 401, their browser will autoamtically remember the credentials it used to access the file and use them for the rest of the session. So, you can use unset($_SERVER['PHP_AUTH_USER']) but the browser won't 'forget' to send them again until it is closed.

If you really have to get round that, you'll need to go to the trouble of setting up a PHP based auth system, complete with sessions, databases and the like.

Sorry about that, but it's a common problem,
_Blue
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:dabaracus
ID: 10937853
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="HSD Support"');
header('HTTP/1.0 401 Unauthorized');
print('You are not authorised to view this page');
exit;
}
require_once("dn_conn.php");
$pass = md5($_SERVER['PHP_AUTH_PW']);
$user = $_SERVER['PHP_AUTH_USER'];
$query = "SELECT * FROM user where `id` = '$user' AND `passwd` = '$pass'";
$result = mysql_query($query) or die("Query failed: " .mysql_error());
$rows = mysql_num_rows($result);
$auth = 0;
if($rows != 0)
{
      $line = mysql_fetch_object($result);
      $counter = count($allowed);

      for($i = 0; $i<$counter; $i++)
      {
            if($line->group == $allowed[$i])
            {
                  $auth = 1;
            }
      }
}
if($auth== 0)
{
    unset($_SERVER['PHP_AUTH_PW']);
    unset($_SERVER['PHP_AUTH_USER']);
    header('location: index.php');
}
?>

on the index page to test i have set to print these variables and they are still set
0
 
LVL 12

Expert Comment

by:Ivanov_G
ID: 10937934

   why don't you use $_SESSION instead of $_SERVER ...?!
0
 

Author Comment

by:dabaracus
ID: 10937986
i was asked not to use sessions by person who gave me this task
0
 
LVL 2

Accepted Solution

by:
Warble earned 125 total points
ID: 10940537
eeBlueShadow is correct, the browsers do store this information, PHP does not, so unsetting the variables works for that page load, but as soon as the next page is loaded, the browser automeatically resends the information, rendering your unset() useless.

From the PHP Manual:

"Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button. "

This code:

header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');

should cause the browser in most cases (IE & Netscape) to clear the browser vars that store this information.

0
 
LVL 2

Expert Comment

by:ElForesto
ID: 10944416
Did the person that asked you to not use sessions have a real good reason for it? If not, I'd argue for scrapping that restriction as it makes your job significantly difficult. Unless they can point out a SIGNIFICANT technical reason to not use sessions, you should bring up the additional costs and development time of trying to work around that.
0
 

Author Comment

by:dabaracus
ID: 10946555
thanks guys i have sortted the issue
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 10948407
Re the item in the PHP manual:

Would that logout you mention, work for .htaccess 'login's as well
0
 
LVL 2

Expert Comment

by:Warble
ID: 10950384
Thanks for the points.

In reply to aolXFT: I don't see why not. Give it a try.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question