Posted by Steve on 10/17/07 19:18

"David Hennessy" <david@maidix.com> wrote in message
news:k8qdnVeMRfB-oIvanZ2dnUVZ_sbinZ2d@comcast.com...
> Jeremy wrote:
>> David Hennessy wrote:
>>> Hi! Is there any way to limit the number of retries when using HTTP
>>> authentication in PHP?
>>>
>>
>> Despite what everyone else says, this is possible with PHP (though not
>> with Apache's built-in HTTP authentication, AFAIK).
>>
>> Read this:
>>
>> http://us2.php.net/manual/en/features.http-auth.php
>>
>> The idea is that when the user first tries to access the document, you
>> send an HTTP 401 header. At this point, you can also keep track of this
>> as an "attempt" in whatever fashion you like (local database of IP
>> addresses, for example). Now, each time the user types a new password
>> you'll check it, and if it's wrong you'll send another 401 header. Keep
>> track of how many times this happens, and if the number of attempts
>> exceeds your limit, send a 403 (forbidden) instead of a 401.
>
>
> Hi Jeremy,
>
> Do you have a reference or an example to demonstrate this? I've
> extensively consulted the URL you referenced, and don't see anything to
> suggest the functionality you're describing. From my own tests, it appears
> that the authentication challenge pop-up does not return to the PHP script
> until the user either enters a correct password or hits "cancel" -- so
> there's no place to interrupt until the authentication bit is done. Am I
> misunderstanding?

that's just not true. php is right in the middle of it all. yes, you are
misunderstanding.

have fun with this:


<?
$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}
$auth = $headers['Authorization'];
if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00"){ die('error header not
recognized'); }

if ($msg[8] == "\x01")
{
$challange = "NTLMSSP\x00\x02" . "\x00\x00\x00\x00" . // target name
len/alloc
"\x00\x00\x00\x00" . // target name
offset
"\x01\x02\x81\x01" . // flags
"\x00\x00\x00\x00\x00\x00\x00\x00" . // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00" . // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info
len/alloc/offset
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM ' . trim(base64_encode($challange)));
exit;
}
if ($msg[8] == "\x03")
{
function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start + 1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start + 5]) * 256) + ord($msg[$start + 4]);
$msg = substr($msg, $off, $len);
return $unicode ? str_replace("\0", '', $msg) : $msg;
}
$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);
echo '<pre>' . print_r($msg, true) . '</pre>';

print "You are $user from $domain/$workstation";
}
}
?>

• Next in forum: php/mysql - how to see if they can connect?
• Prev in forum: Re: Regular expression
• Thread view: Re: HTTP Authentication in PHP -- limit retries?

[Reply to this message]