Question about $_SERVER['PHP_AUTH_PW']

[DeNasio]

I'm currently creating a site where users have to enter a password to enter a certain area. They only need to enter a password, no username. All users use the same password to enter the area. I want to use $_SERVER['PHP_AUTH_PW'] to achieve this. I have the following question:

1. When members enter the password in a the form and hit the submit button I first check if the password is correct and then I define $_SERVER['PHP_AUTH_PW'] = $password. I assume that this is a correct way to give $_SERVER['PHP_AUTH_PW'] a value?

2. Do I need to send the password as a hidden variable everytime I call the script or is this done automatically?

[clamcrusher]

see
http://www.php.net/manual/en/features.http-auth.php

due the the restriction of php having to run as an apache module, personally, id go a different route.

just give them a form to enter the password into, validate it, if its good, start a session and set a logged_in var to true.

[DeNasio]

see
http://www.php.net/manual/en/features.http-auth.php

due the the restriction of php having to run as an apache module, personally, id go a different route.

I did, but I still had those 2 questions. I don´t want to display an authentication popup, just a simple form on the page asking for the username.

[clamcrusher]

something like

PHP Code:

session_start();

if (isset($_POST['pass'])) {
    if ($_POST['pass'] == 'foo') {
        $_SESSION['auth'] = true;
    } else {
        $_SESSION['auth'] = false;
    }
}

if (empty($_SESSION['auth'])) {
    echo 'the login form...';
    exit;
} 


calling something like that as an include on every page should do what you want. its critical that its the very first thing in any script which needs to be protected.

[mrwooster]

Its much better and more secure to use Sessions, if you use server variables there is a potential security risk as server variables can be accessed through phpinfo();

[DeNasio]

Its much better and more secure to use Sessions, if you use server variables there is a potential security risk as server variables can be accessed through phpinfo();

Does using Session use "more bandwidth" than not using Session?

[mrwooster]

As far as bandwidth goes - there will be no difference as bandwidth is the amount of data transmitted to and from your server to the client, all php processing is done on the server side and so does not take up any bandwidth. If you mean processing time, I am not too sure, but I would estimate that about 90% of all php sites with login systems will use sessions. It is certainly the best way to do it.

[DeNasio]

As far as bandwidth goes - there will be no difference as bandwidth is the amount of data transmitted to and from your server to the client, all php processing is done on the server side and so does not take up any bandwidth. If you mean processing time, I am not too sure, but I would estimate that about 90% of all php sites with login systems will use sessions. It is certainly the best way to do it.

I never liked using Session on a busy site. I only use Session in de user login area. I always thought that using Session on a very busy site causes lots of extra processing time for the server because of all the session variables it has to manage. Am I right in thinking this?

[clamcrusher]

its extra processing if your putting data into a session thats not needed.

if the data is needed, then you must fetch the data somehow. this is what sessions are designed for, and are quite fast. but yes, everything you do requires extra processing(whether it be sessions or not).

whats your alternative? a database? do you not think a database has overhead?