PHP/HTML methods in Basic mode user authentication

[Richard Bowser]

I have a login script called auth.php which a friend gave me.  Yet whenever I try to use it on my local WAMP5 system v 1.66 (current) it seems to unbalance either my Apache localhost server or my browser client (on both IE7 & FF 2.0).  The script relies on Basic authentication (not digest).  I strongly suspect there’s something pretty marginal in the coding, because I get such widely varying results even with minor diagnostic tweaks.  It seems to perturb the challenge-response interaction of client and my Apace server.  For example, if I change the line that calls displayLogin() on unset Login variables to print ‘Not set<br>’; then the login dialog is not displayed and the script just sails right through to completion.  I do NOT comprehend this behavior.

I have been searching on the web for a while and have not found any example login scripts to copy that use RFC 2617-style Basic authentication.  Neither have I been able to locate any documentation describing how to write a login script (for the server side) using RFC 2617 Basic authentication that forces the client to invoke its built-in login dialog process, either in any PHP documentation or in any HTML documentation.  My problem is that on my test machine, the implicit login state machine always fails to accept any input whatsoever.  I want to determine whether my Apache has a problem, or the donated script is bad.  Therefore, I would love to find a sample script to emulate.  I would be happy with either a PHP script, or even a pure html script.

I want to maintain my own MySQL users database, and really I only want the native browser dialog to return whatever values the user enters in $PHP_AUTH_USER and $PHP_AUTH_PW.  It is possible that this is really an Apace configuration problem.  But it is also conceivable that I just don’t comprehend the real problem.  In any case, I would like to see some known valid login scripts that use this method.  I am fully aware that Digest mode is more secure, but I’d like to get a Basic mode script working first before moving on to Digest.

The script is below for anyone who wants to peruse it.  Any comments would be very much appreciated!

auth.php:

<?PHP
function displayLogin() {
header("WWW-Authenticate: Basic realm=\"Authorization Required\"");
header("HTTP/1.0 401 Unauthorized");
echo "<h2>Authentication Failure</h2>";
echo "The username and password provided did not work. Please reload this page and try again.";
exit;
}

$db = mysql_connect('127.0.0.1','root','') or die("Couldn't connect to the database.");
mysql_select_db('userdb') or die("Couldn't select the database");

if (!isset($PHP_AUTH_USER) || !isset($PHP_AUTH_PW)) {
// If username or password hasn't been set, display the login request.
displayLogin();
} else {
// Escape both the password and username string to prevent users from inserting bogus data.
$PHP_AUTH_USER = addslashes($PHP_AUTH_USER);
$PHP_AUTH_PW = md5($PHP_AUTH_PW);

// Check username and password against the database.
$result = mysql_query("SELECT * FROM users WHERE passwd='$PHP_AUTH_PW' AND username='$PHP_AUTH_USER'") or die("Couldn't query the user-database.");
$num = mysql_result($result, 0);

if (!$num) {
// If there were no matching users, show the login
displayLogin();
}
}

// All code/html below will only be displayed to authenticated users.

?>

???

[boo_lolly]

[quote author=phrozenfire link=topic=123725.msg511844#msg511844 date=1169594197]
**** you

-oldmanice
[/quote]
did i miss something ???

[neylitalo]

oldmanice is a regular offender - he keeps coming back and we keep banning him. He's gone now. Don't be surprised if he pops up again.

[boo_lolly]

[quote author=neylitalo link=topic=123725.msg511876#msg511876 date=1169595578]
oldmanice is a regular offender - he keeps coming back and we keep banning him. He's gone now. Don't be surprised if he pops up again.
[/quote]
why don't you block the IP? is that not as effective as it should be?

[Jessica]

I'm not a moderator, but I know it's easy to change/fake/mask an IPA. People can have dynamic IPAs, and share IPAs, and even if you have a static, it just takes a phone call to change it and a proxy to mask it.

[Richard Bowser]

Folks, is there a problem with my question?  If it’s too long, let’s simplify it: I’ve read the tutorials, studied the manuals, asked friends, and spent prodigious amounts of time experimenting and carefully testing every hypothesis I or my friends could generate.  I admit I have not read through the source code of Apache and Firefox 2.0.  But now I’m just trying to locate which particular haystack I need to search in for this particular elusive needle.

This is NOT a casual or unthinking question.  I even posted a question in PHP freaks forum questions asking what was the best forum to post my question in, and I was told to try here.  I would have no problem being told "RTFM", that is – if I had a manual to read.  I would love to find one!  (Yes, I do have a copy of RFC2716 and I have studied it, painstakingly.) 

Can anyone tell me where I can find documentation or script examples of how to authenticate users via built-in RFC2716 Basic authorization dialogs?
???

[Richard Bowser]

I found it!  I recently spent over 2 weeks just searching for HTTP authentication in PHP and I couldn't find it.  But after all the dialog this post generated, it made me think "maybe I'm missing something".  And so I went searching again.  Then I discovered that chapter 34 in the PHP manual is entitled "HTTP authentication with PHP".  :-[

Thanks everyone. (Even you, oldmanice.  You made me [i]start[/i] thinking "maybe I'm approaching this all wrong"!)

Richard Bowser
May God bless EVERYBODY.

[boo_lolly]

[quote author=Richard Bowser link=topic=123725.msg512006#msg512006 date=1169612628]
I found it!  I recently spent over 2 weeks just searching for HTTP authentication in PHP and I couldn't find it.  But after all the dialog this post generated, it made me think "maybe I'm missing something".  And so I went searching again.  Then I discovered that chapter 34 in the PHP manual is entitled "HTTP authentication with PHP".  :-[

Thanks everyone. (Even you, oldmanice.  You made me [i]start[/i] thinking "maybe I'm approaching this all wrong"!)

Richard Bowser
May God bless EVERYBODY.
[/quote]
that's awesome that you figured it out!!! but please... leave the religious stuff out of the forums.. some people may get offended.