5

I would to set it up where if someone sends in a request "logout" it will automatically take them to a page saying "successful log out". If the customer tries to press the back button or go to the restricted area, it will ask for HTTP auth again.

What I have so far is this:

example.com/restricted/index.php:

<?php   
    session_start();

    if(isset($_GET['logout']))
    {
        unset($_SESSION["login"]);
        header("location: ../logout.php");
        exit;
    }

    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($_SESSION["login"]))
    {

        header("HTTP/1.0 401 Unauthorized");
        header("WWW-authenticate: Basic realm=\"Tets\"");
        header("Content-type: text/html");
        $_SESSION["login"] = true;
        // Print HTML that a password is required
        exit;
    }
?>
// The rest of the page is then displayed like normal

The user successful visits example.com/logout.php if example.com/restricted/index.php?logout is accessed. When the user tries to go back however random things happen, sometimes it will ask for HTTP authentication twice (???) , sometimes it will keep asking for authentication in a loop (?) and sometimes it will let me go right back as if I never logged out.

I am new to how sessions work but my understanding is this: If/when the person is validated, it stores a variable in it's session called login with a value of true... if it every gets a GET request with logout, it will then delete that session variable and go back to logout.php... Why is it then when I click back to the index will it let me back in without asking for authentication, when session[login] is supposedly not set.

Any improvement to this PHP code is appreciated. I know I shouldn't use HTTP Basic and should incorporate SQL, but meh. This is a temporary solution.

Edit: I will accept a solution with MySQL if an example with instructions are included. I have no MySQL or PHP database knowledge (yet)

Improve this question
3
  • 1
    Without sessions, your best bet is to change the basic realm string. Commented Aug 16, 2010 at 4:50
  • Isn't it so much efforts for just a temporary solution? Commented Aug 16, 2010 at 4:54
  • @stillstanding the main problem is WHEN to send it. How to distinguish a call from a logged in user and a call from a logged out one :) Commented Aug 16, 2010 at 4:56

3 Answers 3

Reset to default
1

A rough idea to start you:

<?php   
  session_start();

  if( isset( $_GET['logout'] ) )
  {
    session_destroy();
    header('Location: ../logout.php');
    exit;
  }

  if( !isset( $_SESSION['login'] ) )
  {
    if( !isset( $_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) )
    {
      header("HTTP/1.0 401 Unauthorized");
      header("WWW-authenticate: Basic realm=\"Tets\"");
      header("Content-type: text/html");
      // Print HTML that a password is required
      exit;
    }
    else
    {
      // Validate the $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW']
      if( $_SERVER['PHP_AUTH_USER']!='TheUsername'
          || $_SERVER['PHP_AUTH_PW']!='ThePassword' )
      {
        // Invalid: 401 Error & Exit
        header("HTTP/1.0 401 Unauthorized");
        header("WWW-authenticate: Basic realm=\"Tets\"");
        header("Content-type: text/html");
        // Print HTML that a username or password is not valid
        exit;
      }
      else
      {
        // Valid
        $_SESSION['login']=true;
      }
    }
  }
?>
// The rest of the page is then displayed like normal
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

How would I validate PHP_AUTH_USER and PHP_AUTH_PW without parsing and .htpass and such?
If it is a temporary solution, and you only need one set of Username/Password, just do something like if( $_SERVER['PHP_AUTH_USER']!='TheUsername' || $_SERVER['PHP_AUTH_PW']!='ThePassword' ) { /* 401 Error & Exit */ } else { $_SESSION['login']=true } Personally, I have not used PHP_AUTH_USER/PHP_AUTH_PW before, I tend to just have a form which passes me their Username and Password through $_GET or $_POST - Much simpler.
@Brian save login and pass in the db?
@Col as stated; I dont have a db. @Lucanos, no this one just be one set.
@Brian: Code in comment above (in response to your request) now incorporated into the code in my Answer.
|
1

I've found a way around it.

I have 2 files: index.php and logout.php

Here is my 'index.php' code:

# CHECK LOGIN.
if (!isset($_SESSION["loged"])) {
    $_SESSION["loged"] = false;
} else {
    if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) {
        if (($_SERVER['PHP_AUTH_USER'] == L_USER) && (md5($_SERVER['PHP_AUTH_PW']) == L_PASS)) {
            $_SESSION["loged"] = true;
        }
    }
}
if ($_SESSION["loged"] === false) {
    header('WWW-Authenticate: Basic realm="Need authorization"');
    header('HTTP/1.0 401 Unauthorized');
    die('<br /><br />
    <div style="text-align:center;">
       <h1 style="color:gray; margin-top:-30px;">Need authorization</h1>
    </div>');
}

And here is my 'logout.php' code:

session_start();
$_SESSION["loged"] = false; // We can't use unset($_SESSION) when using HTTP_AUTH.
session_destroy();
Improve this answer

Comments

0

You can use the meta tag http-equiv="refresh" with a very short response time (e.g. content="1"). This refresh will clear any $_POST.

if ( !isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!='myusername' || $_SERVER['PHP_AUTH_PW']!='mypassword' || isset($_POST['logout']) ) {
    header('WWW-Authenticate: Basic realm="My protected area"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<html><head><title>401 Unauthorized</title><meta http-equiv="refresh" content="1"></head><body><h1>401 Unauthorized</h1><p>You are not allowed to see this page. Reload the page to try again.</p></body></html>';
    exit();
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.