Hi! Sure, it is interesting but there is nothing new    I’d like to ask maybe you know if it is possible to authorize a user through your form if the directory is closed with .htaccess i.e. to place data into the variables $PHP_AUTH_... within script. I have seen similar questions on many forums but I haven’t found answers to them.

In most articles devoted to protection is written that if there is a possibility for authorization by means of server, you shouldn’t invent anything new. As to the “Ability to view contents of files .htaccess and .htpasswd”, directive forbidding giving away files beginning with .ht

Last edited by senjor_itc (April 3, 2007 2:21 pm)

I’m impatiently waiting for it to be continued!... And in what way letter ‘Z’ makes hash selection more difficult?

The matter is that .htaccess files and form are incompatible due to two simple reasons

1. variables $PHP_AUTH_USER,$PHP_AUTH_PW cannot be changed from script.

2. to install them you are to send to user BasicRealm which is not a form, of course.

Two variants are possible…

Good luck.

Gentlemen, how can I organize authorization if the server is not Apache but IIS.  Authorization request via header function doesn’t work and correspondingly $PHP_AUTH_USER and PHP_AUTH_PW don’t work either. cookies won’t help as far as they are not accepted by users.

No one prevents user (selecting password) from choosing optional proxy each time which means that IPs may be different all the time.
My opinion is following: if someone is eager to select a password, you cannot do anything with it (neither with IP verification, neither with session nor with cookies).
Correct me if I’m mistaken

$HTTP_X_FORWARDED_FOR. If proxy-server or firewall aren’t anonymous, it informs to which IP it is going to be connected to (usually there are some IPs separated with comma).
Eveyone has forgotten about flock()

Last edited by Conker (April 4, 2007 7:52 am)

I have following remark concerning password selection.
The author gives such example: someone attaches to banner rollers applying to our site involving values substitution. It looks like a ‘selector’ is rejected by the system after 5 attempts. But banner will keep trying to get to the site. In an hour (it doesn’t matter for what period of time user is blocked by us) banners will try again. It doesn’t matter to them because it is a program. If it was a human, he would give up this in a couple of hours trying. So the main idea is fighting against the program for password selection.
But the standard solution comes at once: how to distinguish a user from program? We are to place a picture containing symbols’ set created randomly. If login and password are entered along with this code, we can be sure that we deal with a human and act as usually; if the code isn’t entered – we reject it and even don’t try to connect with the base or do anything else.
Why is this technology used by the registration of a new user only? Why isn’t it used for the authentication process?