Re: [Phplib-users] Default Auth? 7.2d
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Default Auth? 7.2d
|
From: Jacob H. <Jac...@fi...> - 2002-02-14 22:47:17
|
Ok, after more hacking (yes, I'm still at it)... It would seem that the "default authentication" setup is flawed because login_if destroys authentication. Once it's destroyed, there doesn't seem to way to get re-authenticated as "nobody". On my system, this forces the included loginform on every page that uses $auth, including the ones that are otherwise accessible by "nobody", such as the nice, external login form/title page I just created. So basically, if a user who is authenticated as "nobody" attempts to access a protected page (which contains the following after page_open) $auth->login_if($auth->auth["uid"] == "nobody"); ...authentication is destroyed and the user must login in order to do *anything*. The external login form I was talking about previously gets me around part of the problem, but still, if a user somehow manages to browse to a protected page, they get the simple included loginform and that's all they'll be able to get until they can get a different session. It seems like the only answer is to not use $auth at all on non-protected pages, as Layne suggested. Although, I wish I could... Jacob >>> "Jacob Hanson" <Jac...@fi...> 02/14/02 12:41PM >>> Ah! After further testing... It seems as thought having "nobody"-accessible links on your included loginform file can't work. I'm using Fred's method. If I access the other files directly, it works fine, but going through the links on the loginform, it doesn't. Browsing the "default" page (home.php, which is protected, so the loginform will display for unauthenticated users) it turns out that I am correctly authenticated as "nobody" initially. But since I've got an if_login() hook in there to only allow authenticated users into home.php, if_login() nukes my "nobody" auth info, which breaks the public links on the loginform. So it seems the only solution is to use welcome.php as an outside loginform (which would POST its login info to the protected page) and as the default page...and use a simple no-nonsense login form for the included loginform. Hmmm... -- Fred Yankowski fr...@on... tel: +1.630.879.1312 OntoSys, Inc PGP keyID: 7B449345 fax: +1.630.879.1370 <A href="http://www.ontosys.com www.ontosys.com 38W242 Deerpath Rd, Batavia, IL 60510-9461, USA |
