Posted by "Richard Lynch" on 01/20/06 23:32

On Fri, January 20, 2006 8:24 am, David BERCOT wrote:
> I use this program to force a user to authenticate :
> if (!isset($_SERVER["PHP_AUTH_USER"])) {
> header("WWW-Authenticate: Basic realm=\"Intranet SDSED\"");
> header("HTTP/1.1 401 Unauthorized");
> }
> Everything is ok except a detail : if the user makes a mistake (for
> example, a bad password), the variable $_SERVER["PHP_AUTH_USER"] is
> initialised.
> So, if he wants to do again the above test, another identification
> won't
> happen (because $_SERVER["PHP_AUTH_USER"] is already set).

Well, yeah.

You kind of need to send the headers if:
PHP_AUTH_USER is not set
PHP_AUTH_USER is not valid user
PHP_AUTH_PW is not set
PHP_AUTH_PW is not valid

So you've only done 25% of the job, so far. :-)

Only if all four conditions are met is the user really valid.

> I've tried :
> $_SERVER["PHP_AUTH_USER"] = NULL;
> without succes...

$_SERVER should be treated as a "read-only" variable.

NEVER stuff something into it.

In this case, not only is it just a Bad Idea to stuff something in
there, it's pointless.

The *browser* sends the values for PHP_AUTH_USER and _PW on every
single request, and PHP crams whatever the browser sends into
$_SERVER.

And whatever you put in there during your last script is long long
long gone before any of this happens.

But even if it was still there, it would get over-written by the
browser->apache->php process.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]