NYCPHP Meetup

[nycphp-talk] Firefox and authentication

Michele Waldman mmwaldman at nyc.rr.com
Fri Jan 30 21:30:24 EST 2009


I'm trying to switch from basic authentication to digest.  I'm working in
Firefox, which is why.

 

 I'm using mod_auth_mysql for most of the account.

     <Files login.php>        Logged in as Basic

  AuthType Basic

  AuthName "The space"

  require group agroup

     </Files>

<Files logout.php>      Want to call a script protected by digest

AuthType Digest

AuthName "The Space"

AuthUserFile /home/path/.htpasswd

Require user nonexistent

</Files>

 

To log off, I'm using:

olxmlHttp.open("GET","logout.php",false, "logoff", "logoff");

olxmlHttp.setRequestHeader('Authorization', 'Digest');

olxmlHttp.send(null);

            olxmlHttp.abort(); //* commented out right now

In the .htaccess file I have:

 

In the domain error log I get:

Digest: client used wrong authentication scheme `Basic':
/path/force_logout.php, referer: https://domain/path/

Then a popup window opens.  

When I type the wrong user/password, in the error log I get:

Digest: user `b' in realm `The Space' not found: /path/logout.php, referer:
https://domain/path

 

Does anyone know how to switch between authentication type from a script?
I'm was thinking setRequestHeader would work.

In phpinfo() on a script in the same directory, I have:

 

HTTP Request GET /path/file HTTP/1.1

User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5)
Gecko/2008120122 Firefox/3.0.5 

Accept 

Keep-Alive 300 

Connection keep-alive 

Cookie PHPSESSID=whatever

Authorization Digest username="user", realm="My Site", nonce="value",
uri="script", algorithm=MD5, response="value", qop=auth, nc=00000001,
cnonce="value

 

What I'm not sure is what the server is looking at.  The authorization value
in the client header?  Is that dictating what should happen. Httpd is
complaining wrong Authentication Scheme, which makes me think server side
Authenticate header, which is what I was trying for a while until I realized
I was on the client.

Can I change the headers and it will work?  Is this the right thing to do?

I dabbled a little with setting different Authorization header values.

But, I need a break and could use some advice.

Michele

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090130/5e588f13/attachment.html>


More information about the talk mailing list