Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Header statement and Realm


  • Please log in to reply

#1
fay47

fay47

    Member

  • Member
  • PipPip
  • 72 posts
I found the following php example of using the Header statement to give a login box.
Header( 'WWW-Authenticate: Basic realm="my realm' );
Header( 'HTTP/1.0 401 Unauthorized' );

Can someone tell me what the realm is for. In testing it appears that all it did was change the prompt on the login screen.

Thanks, Fay
  • 0

Advertisements


#2
The Architect

The Architect

    Member

  • Member
  • PipPip
  • 58 posts
Here's what you posted:

Header( 'WWW-Authenticate: Basic realm="my realm' );

Here's how it should be written:

Header( 'WWW-Authenticate: Basic realm="my realm"' );

Unless this was simply a transposition error in your post, your authentication will not perform as intended.

Edited by The Architect, 22 February 2006 - 04:10 PM.

  • 0

#3
fay47

fay47

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I had it correct in my actual code and it worked ok. But just wondering what the realm is actually for.

Thanks,
Fay
  • 0

#4
The Architect

The Architect

    Member

  • Member
  • PipPip
  • 58 posts
OK - had to check!!

Understanding how this type of authentication works can be a bit difficult - at least I found it to be :tazz: - so I'll try to keep things simple - if you want additional info, I can point you to a couple of good sites....

When allowing users to access a server for the purpose of retrieving data or other resources, it may often be desirable (or necessary!) to "split up" the contents of the protected area, which allows different users or user groups to access different parts. This is done by defining a REALM.

A simple analogy would be granting access to a list of telephone numbers (one realm) and addresses (a second realm) - all contained in a protected directory.

In addition to splitting up the contents of a protected area, realm will output a string (let's call it a challenge!) that will tell the requester what area they are attempting to access, so that they will know what username and password to use - by the way, in your code, the "Basic" is a standard way of telling the server to expect a username and password as a means of authentication. So, in your example, "my realm" is a protected area - it could as easily have been called "e-mail addresses" or "recipes".
  • 0

#5
fay47

fay47

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Ok, let me see if I understand you.

First, this is what I did. I have a table that contains userids and passwords. After the user enters the data in the login screen I look up the userid in the table and compare the password the user entered against the password from the table.

If I am understanding you - for the realm to have any meaning - it would have to be programmed into the verification code. So for instance, I could add a field to my password table that would corresond to the realm. In other words my password table could contain something like.
userid passwd realm
------ ------- -------
user1 passa realm1
user2 passa realm1
user3 passa realm1
user1 passb realm2
user3 passb realm2

Then to pull the record from the password table, I would pull the record based on both userid and realm. Verifications which use realm1 would give user1, user2 and user3 access, but if realm2 was used only user1 and user3 would have access. And the realm displayed on the login screen would let the user know which password to use - user1 would know whether to use passa or passb based on whether it was realm1 or realm2. Is that what you are saying?

So, that the realm really has no build in meaning except as to what is displayed on the login screen. For it to have any effect on anything it would have to have php code to check for it.

Please let me know if I have understood you correctly or not.

Thanks for you reply.

Fay
  • 0

#6
The Architect

The Architect

    Member

  • Member
  • PipPip
  • 58 posts

Verifications which use realm1 would give user1, user2 and user3 access, but if realm2 was used only user1 and user3 would have access. And the realm displayed on the login screen would let the user know which password to use - user1 would know whether to use passa or passb based on whether it was realm1 or realm2. Is that what you are saying?


That's correct. Good way of putting it!

I must warn you that the Basic Access Authentication scheme you appear to be using (based on your original post) is a fairly weak method of protection, because the user id's and passwords, when sent over the server, are not encrypted. A better, but not necessarily foolproof method, is what is called Digest Access Authentication. An excellent article that explains both methods is found here:

Basic and Digest Authentication Methods

I hesitate to offer the above, as the article is fairly technical in nature (although very well written with tons of examples), but feel it's worthwhile reading for anyone attempting to restrict access by users. There is a lot in the article that you can skip over...
  • 0

#7
fay47

fay47

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Thanks for the information. I just happen to mention to a friend what you said about basic authentication. She also maintains a website and turns out that she had also been using basic authentication. And kind of a concidence she had also just recently discovered the problem it presented with security and was changing it.

So again, thanks for the information and thanks for the link. I need to bookmark the site that you gave the link to so that I can come back to it when I have more time to really look into it.

Fay
  • 0

#8
The Architect

The Architect

    Member

  • Member
  • PipPip
  • 58 posts
Glad to have been of help!
:tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP