|
|
Posted by Jerry Stuckle on 08/25/07 18:12
gosha bine wrote:
> Jerry Stuckle wrote:
>> gosha bine wrote:
>>> Jerry Stuckle wrote:
>>>> Álvaro G. Vicario wrote:
>>>>> rogerjames1@googlemail.com escribió:
>>>>>> Was going to use .htaccess but I'd require a better user management
>>>>>> with MySQL database, registeration page, admin page, forgot password
>>>>>> feature.
>>>>>>
>>>>>> Would coding a script that runs every minute and dumps user/pass to
>>>>>> a .htpasswd file be too taxing on a high traffic site?
>>>>>
>>>>> There're several modules that provide HTTP authentication in
>>>>> Apache. I'm not sure of which ones are usually available in hosting
>>>>> services but I've used mod_auth_mysql for several years and it
>>>>> works fine:
>>>>>
>>>>> http://modauthmysql.sourceforge.net/
>>>>>
>>>>> However, you must be aware that you won't be able to use a custom
>>>>> login form if you use HTTP authentication. Even if you validate an
>>>>> user using a form, the browser won't know about it and will open
>>>>> its own prompt and ask for credentials. I've never found an
>>>>> acceptable workaround.
>>>>>
>>>>>
>>>>>
>>>>
>>>> There isn't. HTTP authentication comes into play before any calls
>>>> to the files themselves. Unfortunately, there's no way to tell the
>>>> browser what to send for authentication credentials except through
>>>> the HTTP authentication mechanism (i.e. no PHP or Javascript code
>>>> can force it).
>>>>
>>>>
>>>>
>>>
>>> Might want to read this
>>>
>>> http://www.php.net/manual/en/features.http-auth.php
>>>
>>>
>>
>> Yes, I'm familiar with it. And all you can do is send an "401
>> Authentication Required" header.
>
> No, just read it. You can send "WWW-Authenticate" and specify realm and
> authentication type (basic, digest). You can also send the text that
> will be shown if authentication fails.
>
Yes, but you can't force the browser to provide a list of credentials in
lieu of the popup box you get when accessing a restricted directory.
>>
>> Additionally, you can get the authentication information from the
>> $_SERVER variables.
>>
>> But there is no way you can force the browser to send authentication
>> information from either PHP or javascript. And nothing in this
>> contradicts my statement.
>
> Your statement is fairly unclear. I fail to see the browser can "send"
> anything "from PHP". Php is not something the browser is aware off (I
> know, you're familiar with that fact).
>
No, my statement is perfectly clear. When a request for ANY protected
resource is made, the browser must send the appropriate authentication
data. For instance, if you have a web page with seven images, all in a
protected directory, the browser will make eight requests, and have to
send eight sets of credentials. There is no way for PHP or Javascript
to bypass this, but the browser handles it automatically. You should be
able to do it with a browser extension, but that would require everyone
using the site to download the extension.
And PHP can't do anything about it (other than redirect the user)
because if the user doesn't authenticate, the page is never loaded.
And this doesn't work for non-PHP files.
>>
>> I've been developer/admin of mod_auth_mysql for several years, and
>> thoroughly understand how it works. I suggest you reread the article
>> and learn how HTTP authentication works.
>>
>
> Noone questions your skills. You take it too personally. ;)
>
>
No, I'm just pointing out that I understand how HTTP authentication works.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|