HTTP Authentication with multiple attempts

I have used the simple example of HTTP Authentication from the PHP website
as follows:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
My authentication code here
}
?>

At the moment, if the user gets it wrong they are locked-out until they
restart their browser.However, I want the user to have, say, five attempts
before being locked-out. I guess I need a counter so that I can
unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but
I can't work out a way to make the counter persistent across attempts.

All ideas welcome.

--

Sparkplug wrote:

> At the moment, if the user gets it wrong they are locked-out until they
> restart their browser.However, I want the user to have, say, five attempts
> before being locked-out. I guess I need a counter so that I can

If you use HTTP basic authentication there is no way to influence it.
The webserver handles the authentication and that's about it. There are
no options for basic authentication (at least none I am aware of) in
Apache. It's a take it (and let the server handle it its way) or leave
it (and program you own authentication, which might be less secure,
buggy, prone to database manipulation, ...).

You do have 3 tries for basic authentication though. At least that's the
way Apache handles it, I don't know about other webservers.

Bye!

On Thu, 02 Dec 2004 16:26:06 +0100, Anonymous <anonymous@nowhere.invalid>
wrote:

> Sparkplug wrote:
>
>> At the moment, if the user gets it wrong they are locked-out until they
>> restart their browser.However, I want the user to have, say, five
>> attempts
>> before being locked-out. I guess I need a counter so that I can
>
> If you use HTTP basic authentication there is no way to influence it.
> The webserver handles the authentication and that's about it. There are
> no options for basic authentication (at least none I am aware of) in
> Apache. It's a take it (and let the server handle it its way) or leave
> it (and program you own authentication, which might be less secure,
> buggy, prone to database manipulation, ...).
>
> You do have 3 tries for basic authentication though. At least that's the
> way Apache handles it, I don't know about other webservers.

I'm running Apache on W2K for development and Linux for production and in
each case it only gives me one shot. Any more ideas?

--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

"Sparkplug" <sparkplug@nowhere.net> wrote in message
news:opsidypgpufps5jf@cblaptop...
> I have used the simple example of HTTP Authentication from the PHP website
> as follows:
>
> <?php
> if (!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="My Realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo 'Text to send if user hits Cancel button';
> exit;
> } else {
> My authentication code here
> }
> ?>
>
> At the moment, if the user gets it wrong they are locked-out until they
> restart their browser.However, I want the user to have, say, five attempts
> before being locked-out. I guess I need a counter so that I can
> unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but
> I can't work out a way to make the counter persistent across attempts.
>
> All ideas welcome.
>

I don't see why the user would get locked out. HTTP is stateless. Each
request is independent of each other. IE does not bring up the
authentication dialog box again after three failed attempts. But it will do
so again if you refresh the page. Netscape on the other hand would keep
showing the dialog box as long as it's receiving the status code 401.

Perhaps the problem here is your code. Are you sending 401 when the
username/password pair is incorrect? The absence of the PHP_AUTH_USER
needn't really to be handled separately. No username/password is--for the
most part--the same as wrong username/password.

As for limiting the number of attempts, the only effectively way to do this
is to save the time of each attempt in a database or a file on the server,
then count the number of attempt within a given time period.

On Thu, 2 Dec 2004 20:32:46 -0500, Chung Leong <chernyshevsky@hotmail.com>
wrote:

> "Sparkplug" <sparkplug@nowhere.net> wrote in message
> news:opsidypgpufps5jf@cblaptop...
>> I have used the simple example of HTTP Authentication from the PHP
>> website
>> as follows:
>>
>> <?php
>> if (!isset($_SERVER['PHP_AUTH_USER'])) {
>> header('WWW-Authenticate: Basic realm="My Realm"');
>> header('HTTP/1.0 401 Unauthorized');
>> echo 'Text to send if user hits Cancel button';
>> exit;
>> } else {
>> My authentication code here
>> }
>> ?>
>>
>> At the moment, if the user gets it wrong they are locked-out until they
>> restart their browser.However, I want the user to have, say, five
>> attempts
>> before being locked-out. I guess I need a counter so that I can
>> unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining,
>> but
>> I can't work out a way to make the counter persistent across attempts.
>>
>> All ideas welcome.
>>
>
> I don't see why the user would get locked out. HTTP is stateless. Each
> request is independent of each other. IE does not bring up the
> authentication dialog box again after three failed attempts. But it will
> do
> so again if you refresh the page. Netscape on the other hand would keep
> showing the dialog box as long as it's receiving the status code 401.
>
> Perhaps the problem here is your code. Are you sending 401 when the
> username/password pair is incorrect? The absence of the PHP_AUTH_USER
> needn't really to be handled separately. No username/password is--for the
> most part--the same as wrong username/password.
>
> As for limiting the number of attempts, the only effectively way to do
> this
> is to save the time of each attempt in a database or a file on the
> server,
> then count the number of attempt within a given time period.

Bingo! I wasn't sending the headers after an unsuccessful attempt. The
code should look like this:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
My authentication code here
if ($AuthenticationFailed == true) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You are not authorised to access this page.';
exit;
}
}
?>

Many thanks.

--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

Sparkplug <sparkplug@nowhere.net> wrote in message news:<opsidypgpufps5jf@cblaptop>...
> At the moment, if the user gets it wrong they are locked-out until they
> restart their browser.However, I want the user to have, say, five attempts
> before being locked-out. I guess I need a counter so that I can
> unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but
> I can't work out a way to make the counter persistent across attempts.

The answer to the "persistent" question will always be: cookie or session
You could send a cookie with the 401 and check it..
Or use a session...