 |
 |
 |
 |
|
|
Date: 10/29/99
- Next message: Andre Eisenbach: "Re: [PHPLIB] Problem with page_close..."
- Previous message: Kristian Köhntopp: "Re: [PHPLIB] Self registration"
- In reply to: Abdul Halim: "[PHPLIB] preauth problem.."
- Next in thread: Massimiliano Masserelli: "Re: [PHPLIB] preauth problem.."
- Reply: Massimiliano Masserelli: "Re: [PHPLIB] preauth problem.."
- Reply: Kristian Köhntopp: "Re: [PHPLIB] preauth problem.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I've been having this problem for quite sometime. Well, I've user
> authenticate to default user id (nobody) on my main page. Then I'll have a
> link to a protected page, which by right will automatically bring the
> login page. My problem is, the login page never appeared. I've put the
> $auth->login_if(true) right after my page_open(), but still it does not
> work. Could somebody help me with this?
I had the same problem, it's caused by not understanding correctly the
interaction between Example_Default_Auth and Example_Auth.
<DANGER>
If you have any page on your site that uses default authentication, then auth
is not sufficent to protect any other page, you must use perm to protect pages.
</DANGER>
Section 1.4 of the phplib v7 manual is quite clear:
Creating a protected session page
Begin that page with
<?php
page_open(
array("sess" => "Example_Session",
"auth" => "Example_Auth",
"perm" => "Example_Perm"));
$perm->check("desired protection");
?>
and end that page with
<?php page_close(); ?>
However, when I started writing my pages, I read the section on
authentication, and thought that the following fragment was sufficent:
<!-- page A -->
<?php
page_open(array("sess" => "Example_Session",
"auth" => "Example_Auth"));
}
?>
<h1>Page A</h1>
<p>You are logged in as <b><?php print $auth->auth["uname"] ?></b>
<?php
page_close()
?>
What's particularly bad is that if this is the only page on your site, it
works as intended. You must log in before you can see the page. However, as
soon as you add any page (page B) to your site with default authentication,
then users entering page B first and then page A will be allowed into page A
(as nobody) without logging in.
<!-- page B -->
<?php
page_open(array("sess" => "Example_Session", "auth" =>
"Example_Default_Auth"));
?>
<h1>Page B</h1>
You are logged in as <b><?php print $auth->auth["uname"] ?></b>
<?php
page_close()
?>
What's even wierder, if you log out, then try accessing A, and at the login
screen, try to access B and you'll be prompted for a password. You won't be
able to see page B until you log out again, or close your browser (is there
any way to get rid of session cookies without restarting the browser?)
Section 3.8 of the docs should be modified to include a warning about default
authentication. In particular the example "How is the auth class used
usually?" should use $perm->check() like 1.4, the $auth->login_if($auth->
auth["uid"] == "nobody"); trick, or at least warn about default authentication.
-- Humberto Ortiz Zuazaga Bioinformatics Specialist Institute of Neurobiology hortiz <email protected>- PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>. To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in the body, not the subject, of your message.
- Next message: Andre Eisenbach: "Re: [PHPLIB] Problem with page_close..."
- Previous message: Kristian Köhntopp: "Re: [PHPLIB] Self registration"
- In reply to: Abdul Halim: "[PHPLIB] preauth problem.."
- Next in thread: Massimiliano Masserelli: "Re: [PHPLIB] preauth problem.."
- Reply: Massimiliano Masserelli: "Re: [PHPLIB] preauth problem.."
- Reply: Kristian Köhntopp: "Re: [PHPLIB] preauth problem.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]