|
|
You could use mod_auth_mysql. You can also use PHP directly.
The way I normally do it is to create an auth.inc file that I then
include at the top of each file that requires authentication. Because of
the way http authentication works, the user is only prompted for their
username/password combination the first time they hit one of the pages
that requires authentication and you will be able to access both their
username and password on each of these pages with $PHP_AUTH_USER and the
password is available as $PHP_AUTH_PW.
The advantage to using PHP over mod_auth_mysql is in the fact that if you
are storing other things about each user in the user record you authenticate
against then you can pull this info out in the same query as the
authentication query.
Here is a complete example of an auth.inc script that I am using on one
of my sites. I have xxx'ed out some of the stuff I don't feel like showing
everyone. You should be able to modify this for your own use:
<?
if(!isset($PHP_AUTH_USER)) {
Header("WWW-authenticate: basic realm=\"XXX\"");
Header("HTTP/1.0 401 Unauthorized");
$title="Login Instructions";
?>
<blockquote>
In order to enter this section of the web site, you must be an XXX
subscriber. If you are a subscriber and you are having trouble logging
in,
please contact <a href="mailto:[email protected]">[email protected]</a>.
</blockquote>
<?
exit;
} else {
mysql_pconnect("localhost","nobody","") or die("Unable to connect to
SQL server");
mysql_select_db("xxx") or die("Unable to select database");
$user_id=strtolower($PHP_AUTH_USER);
$password=$PHP_AUTH_PW;
$query = mysql_query("select * from users where user_id='$user_id' and
password='$password'");
if(!mysql_num_rows($query)) {
Header("WWW-authenticate: basic realm=\"XXX\"");
Header("HTTP/1.0 401 Unauthorized");
$title="Login Instructions";
?>
<blockquote>
In order to enter this section of the web site, you must be an XXX
subscriber. If you are a subscriber and you are having trouble
logging in,
please contact <a href="mailto:[email protected]">[email protected]</a>.
</blockquote>
<?
exit;
}
/* Here I pick out some other useful info from my database that
then available to any script that includes this file */
$name=mysql_result($query,0,"name");
$email=mysql_result($query,0,"email");
mysql_free_result($query);
}
?>
|
|
| Basic Authentication with sessions
Categories : PHP, Beginner Guides, Authentication, Form Processing, Sessions | | | Simple and fast user authentication
Categories : PHP, PHP Classes, Authentication | | | AUTH (.htaccess style) - a login system that uses PostgreSQL.
Categories : PHP, Authentication, Databases, PostgreSQL | | | Form Security - Match A Value For Success
Categories : PHP, Authentication, HTML and PHP, Sessions, Security | | | complete, simple, working example of a login screen/system using php functions, cookies, and a mysql database for begginers.
Categories : Authentication, Complete Programs, PHP, MySQL, Databases | | | PHP4 MYSQL Authentication Script with cookie. Short & Sweet
Categories : Authentication, Apache, Cookies, PHP, MySQL | | | phpSecurePages is a PHP module to secures pages with a loginname and
password. It handles multiple user groups (each has own viewing rights),
store data in a MySQL database or a configuration file, and can be used to
identify Web site viewers.
Categories : PHP, Security, Authentication | | | Function to remember password
Categories : PHP, Authentication, Personalization and Membership | | | redirect redirection ip address authentication authenticate addr
Categories : Authentication, HTTP, Network, PHP | | | Full membership authentication system.
Categories : Authentication, MySQL, PHP, Databases | | | what salt do I have to feed the crypt function with to make it work like the htpasswd command of apache?
Categories : Algorithms, PHP, Authentication | | | Authenticating against .htpasswd style files.
Categories : Authentication, PHP | | | Using Postgres and PHP3 Authentication from a Web application
Categories : PostgreSQL, HTML and PHP, Authentication, PHP | | | Authenticator for Exchange Server LDAP
Categories : PHP, Authentication, LDAP, Security, Sessions | | | Authorize Me! An authentication script.
Categories : MySQL, Databases, Authentication, PHP | |
| |
| | | | | Ron Valli wrote : 60
Thank you for this article. It was very useful in getting WWW-authenticate working on my site. Is there a
way to change the field text on the window that pops up. I want to change the text "User Name" to
"Member ID". Also, is there a way that I can pre-load the "User Name" field with data. Let`s say the member
ID for example. My users are getting confused when Windows pre-load their name in User Name field.
Thanks, Ron
| | | | David Koopman wrote : 64
I would like to find out how to reset the
$PHP_AUTH_PW to NULL or set it to nothing. This
would be very handy for allowing authenticated guests
to "logout." I can set $PHP_AUTH_PW = "" but this
doesn`t do the trick. I need to tell the client`s browser
to "forget" his/her password. Is this possible? I can
reset a cookie password with SetCookie
("password",""). Can I send a cookie named
PHP_AUTH_PW? I will try it, but I doubt it will work.
Send help via e-mail if you know the answer.
| | | | Jason Lambertson wrote : 89
The code is good, but I need a way that
effectively logs a user out (resets PHP_AUTH_USER
and PHP_AUTH_PW) when they click a Logout button.
Any suggestions?
| | | | Boaz Yahav wrote : 90
Why not keep track of users in a session table or better
yet, use the real thing with PHP4? This way, the
authentication is not enough and you can also set a
timeout and even expire a user when you wish.
| | | | Ronnie Schwartz wrote : 116
I would recommend, from personal experience, that you rename
all "auth.inc" files to "auth.php3" That way if a person
goes directly to the file he won`t get your actual code.
| | | | Boaz Yahav wrote : 117
Simply add the folowing line in your .htaccess :
AddType application/x-httpd-php php3 inc html
now php will run files with php3 extention and inc and
html and you can add as many extentions as you like....
berber
| | | | Darren Moore wrote : 120
I dont get this, so if i set $PHP_AUTH_USER and
$PHP_AUTH_PW in a script it will store it and let me log
on with out the popup screen? It does not seem to
work, I got a file in /php/ which sets the variables and
the access is to /php/admin/ but it does not seem to
work, it just asks for the password again
| | | | Shlomo Zippel wrote : 206
I copied this from the php manual:
Both Netscape and Internet Explorer will clear the local
browser window`s authentication cache for the realm
upon receiving a server response of 401. This can
effectively "log out" a user, forcing them to re-enter
their username and password. Some people use this
to "time out" logins, or provide a "log-out" button.
This behavior is not required by the HTTP Basic
authentication standard, so you should never depend
on this. Testing with Lynx has shown that Lynx does
not clear the authentication credentials with a 401
server response, so pressing back and then forward
again will open the resource (as long as the credential
requirements haven`t changed).
Btw - Can i use a form with PHP_AUTH_USER and
PHP_AUTH_PW as text/password fields instead of the
popup?
| | | | chiedu okpala wrote : 284
This was a wonderful example but i have a problem just
like many people here on setting the variables
$PHP_AUTH_USER and $PHP_AUTH_PW to nothing. So
when a call to the isset function is called it would
readsfalse.
| | | | mike yankovski wrote : 457
Yeah, like many others, i`m trying to find out how to set PHP_AUTH_USER and PHP_AUTH_PW to something manually, inside the script. And also, i know there`s another variable PHP_AUTH_TYPE or something like that, what is it for ? Please reply via email if possible
Thanks alot
| | | | day walkery wrote :774
Why let php4 parse the .inc files?
They are included!!!
Why rename them to .php(3)?
To SECURE .inc files add this to your apache.conf (httpd.conf)
<Files "global.inc">
Order allow,deny
Deny from all
</Files>
(i always call my files global.inc global def`s etc etc)
Now NOBODY will be able to read them, open them, etc etc. They can only be used included in php files.
Letting the php engine parse them DOES NOT SECURE THEM@!
| |
|
|
