Specifications
In order to duplicate the behavior of the previous examples, we will also provide a page to tell
users that their authentication details were not correct. Closing the Authentication methods dia-
log box will allow us to choose the Custom Errors tab.
The Custom Errors tab, shown in Figure 14.7, associates errors with error messages. Here, we
have stored the same rejection file we used earlier, rejection.html, shown in Listing 14.6. IIS
gives us the ability to provide a more specific error message than Apache does, providing the
HTTP error code that occurred and a reason why it occurred. For the error 401, which repre-
sents failed authentication, IIS provides five different reasons. We could provide different mes-
sages for each, but have chosen to only replace the two that are going to occur in this example
with our rejection page.
Implementing Authentication with PHP and MySQL
C
HAPTER 14
14
IMPLEMENTING
AUTHENTICATION
321
FIGURE 14.7
The Custom Errors tab lets us associate custom error pages with error events.
That is all we need to do to require authentication for this directory using IIS5. Like a lot of
Windows software, it is easier to set up than similar UNIX software, but harder to copy from
machine to machine or directory to directory. It is also easy to accidentally set it up in a way
that makes your machine insecure.
The major flaw with IIS’s approach is that it authenticates Web users by comparing their login
details to accounts on the machine. If we want to allow a user “john” to log in with the pass-
word “password”, we need to create a user account on the machine, or on a domain, with this
name and password. You need to be very careful when you are creating accounts for Web
authentication so that the users only have the account rights they need to view Web pages and
do not have other rights such as Telnet access.
18 7842 CH14 3/6/01 3:35 PM Page 321