Quote:
Originally Posted by XD2
I haven't checked if this works as the paysites I built don't require it, but this code should check for valid username and password and reject anyone without it:
Code:
<?php
if(!$_SERVER[PHP_AUTH_USER] || !$_SERVER[PHP_AUTH_PW]) {
//url to redirect to
$url = "http://www.yourdomain.com";
header("Location: $url");
}
?>
Just place it in your members area above everything else and it will redirect if no username or password is found. This only works for sites using htaccess as an auth method. |
If you just check the standard variable, $_SERVER['REMOTE_USER'], rather than
the nonstandard $_SERVER[PHP_AUTH_USER], it'll work for any standard authentication
method, past, present, or future. Plus it'll actually work. What's set in
PHP_AUTH_USER is
not necessarily a valid user name. REMOTE_USER
is their authenticated user name.
Also as XD2 mentioned, PHP_AUTH_USER is populated only for basic
authentication, a system designed to be weak, and PHP weakens it further in the
process of setting PHP_AUTH_PW. Not that a recommend jacking around with
authentication at all within your content, that's the wrong place for it, but if you feel
you must, use REMOTE_USER. 99% of the time if someone references PHP_AUTH_USER
it's wrong and what they really want is REMOTE_USER. They may well be set differently.
REMOTE_USER is their actual user name, authenticated by mod_auth, mod_auth_digest,
Strongbox, ir whatever authentication you're using. PHP_AUTH_USER is whatever
they set to be sent to the weakest possible authentication you could use - even if
in fact you're using something much better.