Re: [PHPLIB] PHPLIB auth and spiders... From: Fabrizio Ermini (f.ermini <email protected>)
Date: 11/04/99

Remember the old discussion about spiders? After having developed my site
almost completely (using phplib 7.0 + some newer stuff from CVSweb,
notably session.inc), I decided to try Kristian's hint:

>
> You will still see the login screen when you are using auth_validatelogin().
> Letting in a spider should be done with auth_preauth(),

Where auth_preauth should check if the user_agent is my search engine,
and in that case use $PHP_AUTH_USER and $PHP_AUTH_PASSWD for validation
purposes.

The problem is: if I try to upgrade to 7.2 to get advantage of
auth_preauth, my site stop working as expected...

A fast summary: the site is a news service, where part of the news are
protected (available only to subscribers, that is), others are free to
the public. This scenario is perfect for default auth; in fact, I used a
code like this on top of the page that loads the piece of news from the
db:

<?
        $db->query("select * from newscollection where id='$id';");
        $db->next_record();
        page_open(array("sess" => "My_Session",
                        "auth" => "My_Default_Auth",
                        "perm" => "My_Perm",
                        "user" => "My_User"));
        $auth->login_if($db->f("free")!="true");
?>

This way, if the articles are free, the loginform is never seen from the
user; whenever it hits a protected page, he is asked his password. If a
user is already registered, login_if would quietly accept the old
authentication.

As far as I've seen, this kind of behaviour is not possible in phplib
7.2. In fact, login_if calls an unauth() every time, so what I got was a
perpetual login form in every page under protection. Then I tried to
comment out the unauth() row in login_if, but the cure was worse: at that
point everybody could enter in the protected pages as nobody.

How should I change my protection scheme to fit under the 7.2 defauth
model? Should I change something in the loginform? Note: I don't want to
use perms, since I want the loginform to pop up if a user hits a
protected page, and not the perminvalid page.

Thanks a lot....
PS: my 2*10^-12 cent: I think the second logo by Nathaniel is the best...
:-)

bye!

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

  Fabrizio Ermini e-mail:
  C.so Umberto, 7 f.ermini <email protected>
  loc. Meleto Valdarno faermini <email protected>
  52020 Cavriglia (AR) ICQ UIN: 24.64.37
  ITALY

-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.