Posted by Jochem Maas on 01/20/06 16:32

David BERCOT wrote:
> Hi,
>
> I use this program to force a user to authenticate :
> if (!isset($_SERVER["PHP_AUTH_USER"])) {
> header("WWW-Authenticate: Basic realm=\"Intranet SDSED\"");
> header("HTTP/1.1 401 Unauthorized");
> }
> Everything is ok except a detail : if the user makes a mistake (for
> example, a bad password), the variable $_SERVER["PHP_AUTH_USER"] is
> initialised.
> So, if he wants to do again the above test, another identification won't
> happen (because $_SERVER["PHP_AUTH_USER"] is already set).
> I've tried :
> $_SERVER["PHP_AUTH_USER"] = NULL;
> without succes...
>
> Do you have a clue ?

there is also $_SERVER["PHP_AUTH_PWD"] which you can check.
and rather than just checking whether $_SERVER["PHP_AUTH_USER"] is set
why not also check that the contained value is something valid?

you can start by checking that $_SERVER["PHP_AUTH_USER"] is not empty:

if (!isset($_SERVER["PHP_AUTH_USER"]) || empty($_SERVER["PHP_AUTH_USER"])) {
// send headers
}

or (pseudocode):

if (!isset($_SERVER["PHP_AUTH_USER"])
|| empty($_SERVER["PHP_AUTH_USER"])
|| !isValidUserName($_SERVER["PHP_AUTH_USER"]))
{
// send headers
}

>
> Thank you very much.
>
> David.
>

[Back to original message]