Capturing Windows Login Name

*** K. A. escribió/wrote (Sat, 2 Feb 2008 01:25:45 -0800 (PST)):
> <script language="JScript">
> var strUsername;
> var objNetwork;
> objNetwork= new ActiveXObject("WScript.Network");
> strUsername= objNetwork.Username;
> strUsername= strUsername.toLowerCase();
> document.write(strUsername); // prints the login name onto the screen.

// Not tested
document.write('<link href="' +
escape(strUsername) +
" rel="stylesheet" type="text/css">');

> </script>
> </head>

::: grab-username.php :::
<?

session_start();

if(!isset($_SESSION['username']) && isset($_GET['username']){
$_SESSION['username'] = $_GET['username'];
}

?>


You can also use a fake JavaScript doc, a 1x1 transparent GIF or AJAX.



--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor austrohúngaro: http://www.demogracia.com
--
 >> Stay informed about: Capturing Windows Login Name 

*** K. A. escribió/wrote (Sat, 2 Feb 2008 01:25:45 -0800 (PST)):
> <script language="JScript">
> var strUsername;
> var objNetwork;
> objNetwork= new ActiveXObject("WScript.Network");
> strUsername= objNetwork.Username;
> strUsername= strUsername.toLowerCase();
> document.write(strUsername); // prints the login name onto the screen.

// Not tested
document.write('<link href="/grab-username.php?username=' +
escape(strUsername) +
'" rel="stylesheet" type="text/css">');

> </script>
> </head>

::: grab-username.php :::
<?

session_start();

if(!isset($_SESSION['username']) && isset($_GET['username']){
$_SESSION['username'] = $_GET['username'];
}

?>


You can also use a fake JavaScript doc, a 1x1 transparent GIF or AJAX.



--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor austrohúngaro: http://www.demogracia.com
--
 >> Stay informed about: Capturing Windows Login Name 

Hello,

on 02/02/2008 07:25 AM K. A. said the following:
> I know it is not possible to get Windows login name using PHP because
> it is a server-side script, but I dunno whether anyone has tried using

This is not accurate, the Windows logon name is passed to servers by
several browsers (not just IE) when servers ask for Windows NTLM
authentication.

You just need to configure your Web server to require Windows
authentication, and you get the current logged user logon name using
GetEnv('LOGON_USER'); .

Forget Javascript, it would never work.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
 >> Stay informed about: Capturing Windows Login Name 

Manuel Lemos wrote:
> Hello,
>
> on 02/02/2008 07:25 AM K. A. said the following:
>> I know it is not possible to get Windows login name using PHP because
>> it is a server-side script, but I dunno whether anyone has tried using
>
> This is not accurate, the Windows logon name is passed to servers by
> several browsers (not just IE) when servers ask for Windows NTLM
> authentication.
>
> You just need to configure your Web server to require Windows
> authentication, and you get the current logged user logon name using
> GetEnv('LOGON_USER'); .
>
> Forget Javascript, it would never work.
>

And which browsers are these? I want to ensure they are never installed
on my system. Such operation would be a tremendous breach of security.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.TakeThisOut@attglobal.net
==================
 >> Stay informed about: Capturing Windows Login Name 

Hello,

on 02/03/2008 01:17 AM Jerry Stuckle said the following:
>>> I know it is not possible to get Windows login name using PHP because
>>> it is a server-side script, but I dunno whether anyone has tried using
>>
>> This is not accurate, the Windows logon name is passed to servers by
>> several browsers (not just IE) when servers ask for Windows NTLM
>> authentication.
>>
>> You just need to configure your Web server to require Windows
>> authentication, and you get the current logged user logon name using
>> GetEnv('LOGON_USER'); .
>>
>> Forget Javascript, it would never work.
>>
>
> And which browsers are these? I want to ensure they are never installed
> on my system. Such operation would be a tremendous breach of security.

Internet Explorer and Firefox support NTLM. Maybe other browser

NTLM is an authentication protocol. The client (the browser) does not
send passwords to the server. There is nothing insecure about this. The
browsers just send the hashed passwords to the server. The server just
compares hashes and tells if what the browser sent was correct.

If the authentication succeeds, the server allows the access of whatever
page (including PHP scripts).

This is a multi-step protocol. The user name is only passed to the
server in the last step, if the previous steps succeed.

The idea is to not make the user enter the same password again to access
a site under the same Windows controller domain, after he has logon on
his Windows machine account that belongs to the same Windows domain.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
 >> Stay informed about: Capturing Windows Login Name 

Manuel Lemos wrote:
> Hello,
>
> on 02/03/2008 01:17 AM Jerry Stuckle said the following:
>>>> I know it is not possible to get Windows login name using PHP because
>>>> it is a server-side script, but I dunno whether anyone has tried using
>>> This is not accurate, the Windows logon name is passed to servers by
>>> several browsers (not just IE) when servers ask for Windows NTLM
>>> authentication.
>>>
>>> You just need to configure your Web server to require Windows
>>> authentication, and you get the current logged user logon name using
>>> GetEnv('LOGON_USER'); .
>>>
>>> Forget Javascript, it would never work.
>>>
>> And which browsers are these? I want to ensure they are never installed
>> on my system. Such operation would be a tremendous breach of security.
>
> Internet Explorer and Firefox support NTLM. Maybe other browser
>
> NTLM is an authentication protocol. The client (the browser) does not
> send passwords to the server. There is nothing insecure about this. The
> browsers just send the hashed passwords to the server. The server just
> compares hashes and tells if what the browser sent was correct.
>

Wrong. Access to my computer consists of logon id plus password. It is
none of your business what my logon id is. And it is a security exposure.

> If the authentication succeeds, the server allows the access of whatever
> page (including PHP scripts).
>
> This is a multi-step protocol. The user name is only passed to the
> server in the last step, if the previous steps succeed.
>
> The idea is to not make the user enter the same password again to access
> a site under the same Windows controller domain, after he has logon on
> his Windows machine account that belongs to the same Windows domain.
>

But it cannot be done by any website to any computer with no control by
the user.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.RemoveThis@attglobal.net
==================
 >> Stay informed about: Capturing Windows Login Name 

Hello,

on 02/03/2008 12:33 PM Jerry Stuckle said the following:
>>>>> I know it is not possible to get Windows login name using PHP because
>>>>> it is a server-side script, but I dunno whether anyone has tried using
>>>> This is not accurate, the Windows logon name is passed to servers by
>>>> several browsers (not just IE) when servers ask for Windows NTLM
>>>> authentication.
>>>>
>>>> You just need to configure your Web server to require Windows
>>>> authentication, and you get the current logged user logon name using
>>>> GetEnv('LOGON_USER'); .
>>>>
>>>> Forget Javascript, it would never work.
>>>>
>>> And which browsers are these? I want to ensure they are never installed
>>> on my system. Such operation would be a tremendous breach of security.
>>
>> Internet Explorer and Firefox support NTLM. Maybe other browser
>>
>> NTLM is an authentication protocol. The client (the browser) does not
>> send passwords to the server. There is nothing insecure about this. The
>> browsers just send the hashed passwords to the server. The server just
>> compares hashes and tells if what the browser sent was correct.
>>
>
> Wrong. Access to my computer consists of logon id plus password. It is
> none of your business what my logon id is. And it is a security exposure.

You are missing the point. I am not arguing with you. I am telling you
how it works. NTLM is an authentication protocol that is used in
Intranets, not in the general Internet.

If you access an Intranet Web server that requires that you have
authorization in the Windows network, you have to authenticate. If your
browser supports NTLM, it will use it, otherwise it usally falls back to
Basic authentication which is not very secure because passwords are sent
unencrypted.

NTLM is a more secure authentication protocol than Basic because
passwords are never sent to the server and it saves the users from the
annoyance of typing their user names and passwords again.

I am well aware of how it works because I implemented the SASL PHP
library, that among other protocols supports NTLM.

http://www.phpclasses.org/sasl

It is used by HTTP, POP3, SMTP client classes to access servers of these
protocols under Intranets that require NTLM authentication:

http://www.phpclasses.org/httpclient

http://www.phpclasses.org/pop3class

http://www.phpclasses.org/smtpclass


>> If the authentication succeeds, the server allows the access of whatever
>> page (including PHP scripts).
>>
>> This is a multi-step protocol. The user name is only passed to the
>> server in the last step, if the previous steps succeed.
>>
>> The idea is to not make the user enter the same password again to access
>> a site under the same Windows controller domain, after he has logon on
>> his Windows machine account that belongs to the same Windows domain.
>>
>
> But it cannot be done by any website to any computer with no control by
> the user.

I never said it could.


--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
 >> Stay informed about: Capturing Windows Login Name 

Manuel Lemos wrote:
> Hello,
>
> on 02/03/2008 12:33 PM Jerry Stuckle said the following:
>>>>>> I know it is not possible to get Windows login name using PHP because
>>>>>> it is a server-side script, but I dunno whether anyone has tried using
>>>>> This is not accurate, the Windows logon name is passed to servers by
>>>>> several browsers (not just IE) when servers ask for Windows NTLM
>>>>> authentication.
>>>>>
>>>>> You just need to configure your Web server to require Windows
>>>>> authentication, and you get the current logged user logon name using
>>>>> GetEnv('LOGON_USER'); .
>>>>>
>>>>> Forget Javascript, it would never work.
>>>>>
>>>> And which browsers are these? I want to ensure they are never installed
>>>> on my system. Such operation would be a tremendous breach of security.
>>> Internet Explorer and Firefox support NTLM. Maybe other browser
>>>
>>> NTLM is an authentication protocol. The client (the browser) does not
>>> send passwords to the server. There is nothing insecure about this. The
>>> browsers just send the hashed passwords to the server. The server just
>>> compares hashes and tells if what the browser sent was correct.
>>>
>> Wrong. Access to my computer consists of logon id plus password. It is
>> none of your business what my logon id is. And it is a security exposure.
>
> You are missing the point. I am not arguing with you. I am telling you
> how it works. NTLM is an authentication protocol that is used in
> Intranets, not in the general Internet.
>
> If you access an Intranet Web server that requires that you have
> authorization in the Windows network, you have to authenticate. If your
> browser supports NTLM, it will use it, otherwise it usally falls back to
> Basic authentication which is not very secure because passwords are sent
> unencrypted.
>
> NTLM is a more secure authentication protocol than Basic because
> passwords are never sent to the server and it saves the users from the
> annoyance of typing their user names and passwords again.
>
> I am well aware of how it works because I implemented the SASL PHP
> library, that among other protocols supports NTLM.
>
> http://www.phpclasses.org/sasl
>

So what? I'm quite aware how it works, also.

> It is used by HTTP, POP3, SMTP client classes to access servers of these
> protocols under Intranets that require NTLM authentication:
>
> http://www.phpclasses.org/httpclient
>
> http://www.phpclasses.org/pop3class
>
> http://www.phpclasses.org/smtpclass
>

Gee, more of your lame classes?

>
>>> If the authentication succeeds, the server allows the access of whatever
>>> page (including PHP scripts).
>>>
>>> This is a multi-step protocol. The user name is only passed to the
>>> server in the last step, if the previous steps succeed.
>>>
>>> The idea is to not make the user enter the same password again to access
>>> a site under the same Windows controller domain, after he has logon on
>>> his Windows machine account that belongs to the same Windows domain.
>>>
>> But it cannot be done by any website to any computer with no control by
>> the user.
>
> I never said it could.
>
>

You intimated that any browser would pass along your logon name to any
website which requested it. And I'm saying this is NOT the case.

If you're so well aware of how it works, you need to learn to express
yourself better.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex DeleteThis @attglobal.net
==================
 >> Stay informed about: Capturing Windows Login Name 

Hello,

on 02/03/2008 04:20 PM Jerry Stuckle said the following:
>>>>>>> I know it is not possible to get Windows login name using PHP
>>>>>>> because
>>>>>>> it is a server-side script, but I dunno whether anyone has tried
>>>>>>> using
>>>>>> This is not accurate, the Windows logon name is passed to servers by
>>>>>> several browsers (not just IE) when servers ask for Windows NTLM
>>>>>> authentication.
>>>>>>
>>>>>> You just need to configure your Web server to require Windows
>>>>>> authentication, and you get the current logged user logon name using
>>>>>> GetEnv('LOGON_USER'); .
>>>>>>
>>>>>> Forget Javascript, it would never work.
>>>>>>
>>>>> And which browsers are these? I want to ensure they are never
>>>>> installed
>>>>> on my system. Such operation would be a tremendous breach of
>>>>> security.
>>>> Internet Explorer and Firefox support NTLM. Maybe other browser
>>>>
>>>> NTLM is an authentication protocol. The client (the browser) does not
>>>> send passwords to the server. There is nothing insecure about this. The
>>>> browsers just send the hashed passwords to the server. The server just
>>>> compares hashes and tells if what the browser sent was correct.
>>>>
>>> Wrong. Access to my computer consists of logon id plus password. It is
>>> none of your business what my logon id is. And it is a security
>>> exposure.
>>
>> You are missing the point. I am not arguing with you. I am telling you
>> how it works. NTLM is an authentication protocol that is used in
>> Intranets, not in the general Internet.
>>
>> If you access an Intranet Web server that requires that you have
>> authorization in the Windows network, you have to authenticate. If your
>> browser supports NTLM, it will use it, otherwise it usally falls back to
>> Basic authentication which is not very secure because passwords are sent
>> unencrypted.
>>
>> NTLM is a more secure authentication protocol than Basic because
>> passwords are never sent to the server and it saves the users from the
>> annoyance of typing their user names and passwords again.
>>
>> I am well aware of how it works because I implemented the SASL PHP
>> library, that among other protocols supports NTLM.
>>
>> http://www.phpclasses.org/sasl
>>
>
> So what? I'm quite aware how it works, also.
>
>> It is used by HTTP, POP3, SMTP client classes to access servers of these
>> protocols under Intranets that require NTLM authentication:
>>
>> http://www.phpclasses.org/httpclient
>>
>> http://www.phpclasses.org/pop3class
>>
>> http://www.phpclasses.org/smtpclass
>>
>
> Gee, more of your lame classes?

I have an hard time understanding why you need to be so hostile and
depart to personal insult against a person that did nothing against you.

I just presented examples on which NTLM authentication is used. I do not
use Windows. I just use Linux, but I studied NTLM and other
authentication protocols in depth to add support to them by request of
the users of those classes.

It is not really relevant, but those classes are quite popular and well
rated as you may check in Freshmeat. Regardless of what you think, they
address needs of many tens of thousands of PHP developers.

Seeing you calling them lame, I assume that you either do not know the
classes and/or just want again to turn a pure technical thread into a
personal attack full of free insults from your part.

Anyway, if trying to insult me is your intention, nevermind, I am not
going to follow-up. If you insist with the insulting tone, rest assured
that I will leave you talking to the walls.


>>>> If the authentication succeeds, the server allows the access of
>>>> whatever
>>>> page (including PHP scripts).
>>>>
>>>> This is a multi-step protocol. The user name is only passed to the
>>>> server in the last step, if the previous steps succeed.
>>>>
>>>> The idea is to not make the user enter the same password again to
>>>> access
>>>> a site under the same Windows controller domain, after he has logon on
>>>> his Windows machine account that belongs to the same Windows domain.
>>>>
>>> But it cannot be done by any website to any computer with no control by
>>> the user.
>>
>> I never said it could.
>>
>>
>
> You intimated that any browser would pass along your logon name to any
> website which requested it. And I'm saying this is NOT the case.

No, if you read me again you may notice that I explained "This is a
multi-step protocol. The user name is only passed to the server in the
last step, if the previous steps succeed."


> If you're so well aware of how it works, you need to learn to express
> yourself better.

Or maybe you need to "put that gun down" and start reading properly to
what people are saying and not make wrong assumptions and departing to
personal insult.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
 >> Stay informed about: Capturing Windows Login Name 

Manuel Lemos wrote:
> Hello,
>
> on 02/03/2008 04:20 PM Jerry Stuckle said the following:
>>>>>>>> I know it is not possible to get Windows login name using PHP
>>>>>>>> because
>>>>>>>> it is a server-side script, but I dunno whether anyone has tried
>>>>>>>> using
>>>>>>> This is not accurate, the Windows logon name is passed to servers by
>>>>>>> several browsers (not just IE) when servers ask for Windows NTLM
>>>>>>> authentication.
>>>>>>>
>>>>>>> You just need to configure your Web server to require Windows
>>>>>>> authentication, and you get the current logged user logon name using
>>>>>>> GetEnv('LOGON_USER'); .
>>>>>>>
>>>>>>> Forget Javascript, it would never work.
>>>>>>>
>>>>>> And which browsers are these? I want to ensure they are never
>>>>>> installed
>>>>>> on my system. Such operation would be a tremendous breach of
>>>>>> security.
>>>>> Internet Explorer and Firefox support NTLM. Maybe other browser
>>>>>
>>>>> NTLM is an authentication protocol. The client (the browser) does not
>>>>> send passwords to the server. There is nothing insecure about this. The
>>>>> browsers just send the hashed passwords to the server. The server just
>>>>> compares hashes and tells if what the browser sent was correct.
>>>>>
>>>> Wrong. Access to my computer consists of logon id plus password. It is
>>>> none of your business what my logon id is. And it is a security
>>>> exposure.
>>> You are missing the point. I am not arguing with you. I am telling you
>>> how it works. NTLM is an authentication protocol that is used in
>>> Intranets, not in the general Internet.
>>>
>>> If you access an Intranet Web server that requires that you have
>>> authorization in the Windows network, you have to authenticate. If your
>>> browser supports NTLM, it will use it, otherwise it usally falls back to
>>> Basic authentication which is not very secure because passwords are sent
>>> unencrypted.
>>>
>>> NTLM is a more secure authentication protocol than Basic because
>>> passwords are never sent to the server and it saves the users from the
>>> annoyance of typing their user names and passwords again.
>>>
>>> I am well aware of how it works because I implemented the SASL PHP
>>> library, that among other protocols supports NTLM.
>>>
>>> http://www.phpclasses.org/sasl
>>>
>> So what? I'm quite aware how it works, also.
>>
>>> It is used by HTTP, POP3, SMTP client classes to access servers of these
>>> protocols under Intranets that require NTLM authentication:
>>>
>>> http://www.phpclasses.org/httpclient
>>>
>>> http://www.phpclasses.org/pop3class
>>>
>>> http://www.phpclasses.org/smtpclass
>>>
>> Gee, more of your lame classes?
>
> I have an hard time understanding why you need to be so hostile and
> depart to personal insult against a person that did nothing against you.
>
> I just presented examples on which NTLM authentication is used. I do not
> use Windows. I just use Linux, but I studied NTLM and other
> authentication protocols in depth to add support to them by request of
> the users of those classes.
>
> It is not really relevant, but those classes are quite popular and well
> rated as you may check in Freshmeat. Regardless of what you think, they
> address needs of many tens of thousands of PHP developers.
>

And there are thousands of programmers who depend on register_globals,
short_open_tags and insecure formmail scripts. Popularity does not
indicate quality.

> Seeing you calling them lame, I assume that you either do not know the
> classes and/or just want again to turn a pure technical thread into a
> personal attack full of free insults from your part.
>

You're the one who brought them up as examples of your "proficiency".
You don't like my opinion of them? Guess what. Tough tootsies.

> Anyway, if trying to insult me is your intention, nevermind, I am not
> going to follow-up. If you insist with the insulting tone, rest assured
> that I will leave you talking to the walls.
>
>


>>>>> If the authentication succeeds, the server allows the access of
>>>>> whatever
>>>>> page (including PHP scripts).
>>>>>
>>>>> This is a multi-step protocol. The user name is only passed to the
>>>>> server in the last step, if the previous steps succeed.
>>>>>
>>>>> The idea is to not make the user enter the same password again to
>>>>> access
>>>>> a site under the same Windows controller domain, after he has logon on
>>>>> his Windows machine account that belongs to the same Windows domain.
>>>>>
>>>> But it cannot be done by any website to any computer with no control by
>>>> the user.
>>> I never said it could.
>>>
>>>
>> You intimated that any browser would pass along your logon name to any
>> website which requested it. And I'm saying this is NOT the case.
>
> No, if you read me again you may notice that I explained "This is a
> multi-step protocol. The user name is only passed to the server in the
> last step, if the previous steps succeed."
>

That's correct. But you never iterated exactly what those steps are,
did you. Leaving people to assume that they can get the logon id from
any system.

>
>> If you're so well aware of how it works, you need to learn to express
>> yourself better.
>
> Or maybe you need to "put that gun down" and start reading properly to
> what people are saying and not make wrong assumptions and departing to
> personal insult.
>

No, I read exactly what you SAID.

And again - no PERSONAL insult. You brought up some work as examples of
your "expertise". I stated my opinions of the same.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex RemoveThis @attglobal.net
==================
 >> Stay informed about: Capturing Windows Login Name 

on 02/03/2008 05:19 PM Jerry Stuckle said the following:
>>>> NTLM is a more secure authentication protocol than Basic because
>>>> passwords are never sent to the server and it saves the users from the
>>>> annoyance of typing their user names and passwords again.
>>>>
>>>> I am well aware of how it works because I implemented the SASL PHP
>>>> library, that among other protocols supports NTLM.
>>>>
>>>> http://www.phpclasses.org/sasl
>>>>
>>> So what? I'm quite aware how it works, also.
>>>
>>>> It is used by HTTP, POP3, SMTP client classes to access servers of
>>>> these
>>>> protocols under Intranets that require NTLM authentication:
>>>>
>>>> http://www.phpclasses.org/httpclient
>>>>
>>>> http://www.phpclasses.org/pop3class
>>>>
>>>> http://www.phpclasses.org/smtpclass
>>>>
>>> Gee, more of your lame classes?
>>
>> I have an hard time understanding why you need to be so hostile and
>> depart to personal insult against a person that did nothing against you.
>>
>> I just presented examples on which NTLM authentication is used. I do not
>> use Windows. I just use Linux, but I studied NTLM and other
>> authentication protocols in depth to add support to them by request of
>> the users of those classes.
>>
>> It is not really relevant, but those classes are quite popular and well
>> rated as you may check in Freshmeat. Regardless of what you think, they
>> address needs of many tens of thousands of PHP developers.
>>
>
> And there are thousands of programmers who depend on register_globals,
> short_open_tags and insecure formmail scripts. Popularity does not
> indicate quality.

You conviniently ignored the fact that I said those classes are also
well rated.

Many PHP developers know the quality of my work. I don't need to prove
it here. But coincidentaly, I was recently invited to speak in the Zend
Developer zone in one of their podcasts. It was just released and it
talks precisely about one of the classes I mentioned above.

http://devzone.zend.com/article/3049-PHP-Abstract-Podcast-Episode-34-S...ams-Abs

The transcript is here:

http://www.phpclasses.org/blog/post/74-A-PHP-killer-feature--Streams-a...raction

Please be serious, trying to hummiliate me and minimize the quality of
my work in a public forum like this, only speaks against your
credibility and reputation. If you value your reputation and credibility
you may want to rethink what you say against others.


>> Seeing you calling them lame, I assume that you either do not know the
>> classes and/or just want again to turn a pure technical thread into a
>> personal attack full of free insults from your part.
>>
>
> You're the one who brought them up as examples of your "proficiency".
> You don't like my opinion of them? Guess what. Tough tootsies.

I (and probably anybody else here) do not care about your opinion when
your intention is to be hostile and minimize my work based on ill
feelings from you just like you expressed. If you don't know how to
respect and disagree with people without being hostile, it is not going
to be me that is going to teach you. Hate speech and hostility from you
or anybody, for me is end of thread.


>> Anyway, if trying to insult me is your intention, nevermind, I am not
>> going to follow-up. If you insist with the insulting tone, rest assured
>> that I will leave you talking to the walls.
>>
>>
>
>
>>>>>> If the authentication succeeds, the server allows the access of
>>>>>> whatever
>>>>>> page (including PHP scripts).
>>>>>>
>>>>>> This is a multi-step protocol. The user name is only passed to the
>>>>>> server in the last step, if the previous steps succeed.
>>>>>>
>>>>>> The idea is to not make the user enter the same password again to
>>>>>> access
>>>>>> a site under the same Windows controller domain, after he has
>>>>>> logon on
>>>>>> his Windows machine account that belongs to the same Windows domain.
>>>>>>
>>>>> But it cannot be done by any website to any computer with no
>>>>> control by
>>>>> the user.
>>>> I never said it could.
>>>>
>>>>
>>> You intimated that any browser would pass along your logon name to any
>>> website which requested it. And I'm saying this is NOT the case.
>>
>> No, if you read me again you may notice that I explained "This is a
>> multi-step protocol. The user name is only passed to the server in the
>> last step, if the previous steps succeed."
>>
>
> That's correct. But you never iterated exactly what those steps are,
> did you. Leaving people to assume that they can get the logon id from
> any system.

That is just you jumping to conclusions about something I never said.




--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
 >> Stay informed about: Capturing Windows Login Name 

Manuel Lemos wrote:
> on 02/03/2008 05:19 PM Jerry Stuckle said the following:
>>>>> NTLM is a more secure authentication protocol than Basic because
>>>>> passwords are never sent to the server and it saves the users from the
>>>>> annoyance of typing their user names and passwords again.
>>>>>
>>>>> I am well aware of how it works because I implemented the SASL PHP
>>>>> library, that among other protocols supports NTLM.
>>>>>
>>>>> http://www.phpclasses.org/sasl
>>>>>
>>>> So what? I'm quite aware how it works, also.
>>>>
>>>>> It is used by HTTP, POP3, SMTP client classes to access servers of
>>>>> these
>>>>> protocols under Intranets that require NTLM authentication:
>>>>>
>>>>> http://www.phpclasses.org/httpclient
>>>>>
>>>>> http://www.phpclasses.org/pop3class
>>>>>
>>>>> http://www.phpclasses.org/smtpclass
>>>>>
>>>> Gee, more of your lame classes?
>>> I have an hard time understanding why you need to be so hostile and
>>> depart to personal insult against a person that did nothing against you.
>>>
>>> I just presented examples on which NTLM authentication is used. I do not
>>> use Windows. I just use Linux, but I studied NTLM and other
>>> authentication protocols in depth to add support to them by request of
>>> the users of those classes.
>>>
>>> It is not really relevant, but those classes are quite popular and well
>>> rated as you may check in Freshmeat. Regardless of what you think, they
>>> address needs of many tens of thousands of PHP developers.
>>>
>> And there are thousands of programmers who depend on register_globals,
>> short_open_tags and insecure formmail scripts. Popularity does not
>> indicate quality.
>
> You conviniently ignored the fact that I said those classes are also
> well rated.
>

So? That means nothing until you qualify the raters.

> Many PHP developers know the quality of my work. I don't need to prove
> it here. But coincidentaly, I was recently invited to speak in the Zend
> Developer zone in one of their podcasts. It was just released and it
> talks precisely about one of the classes I mentioned above.
>

Yep, I've heard from others about the 'quality' of your work.

And so you were invited to talk in the Zend Developer Zone? Over the
years I've been asked to speak at many different forums. Big deal.

> http://devzone.zend.com/article/3049-PHP-Abstract-Podcast-Episode-34-S...ams-Abs
>
> The transcript is here:
>
> http://www.phpclasses.org/blog/post/74-A-PHP-killer-feature--Streams-a...raction
>
> Please be serious, trying to hummiliate me and minimize the quality of
> my work in a public forum like this, only speaks against your
> credibility and reputation. If you value your reputation and credibility
> you may want to rethink what you say against others.
>

No, I'm not trying to humiliate you. I'm just telling you that not
everyone shares your own image of your work. And the more you defend
it, the less it must be worth.

>
>>> Seeing you calling them lame, I assume that you either do not know the
>>> classes and/or just want again to turn a pure technical thread into a
>>> personal attack full of free insults from your part.
>>>
>> You're the one who brought them up as examples of your "proficiency".
>> You don't like my opinion of them? Guess what. Tough tootsies.
>
> I (and probably anybody else here) do not care about your opinion when
> your intention is to be hostile and minimize my work based on ill
> feelings from you just like you expressed. If you don't know how to
> respect and disagree with people without being hostile, it is not going
> to be me that is going to teach you. Hate speech and hostility from you
> or anybody, for me is end of thread.
>

This has nothing at all to do with ill feelings. This has everything to
do with your claims about your "abilities" not being shared by all -
especially some very experienced programmers.

>
>>> Anyway, if trying to insult me is your intention, nevermind, I am not
>>> going to follow-up. If you insist with the insulting tone, rest assured
>>> that I will leave you talking to the walls.
>>>
>>>
>>
>>>>>>> If the authentication succeeds, the server allows the access of
>>>>>>> whatever
>>>>>>> page (including PHP scripts).
>>>>>>>
>>>>>>> This is a multi-step protocol. The user name is only passed to the
>>>>>>> server in the last step, if the previous steps succeed.
>>>>>>>
>>>>>>> The idea is to not make the user enter the same password again to
>>>>>>> access
>>>>>>> a site under the same Windows controller domain, after he has
>>>>>>> logon on
>>>>>>> his Windows machine account that belongs to the same Windows domain.
>>>>>>>
>>>>>> But it cannot be done by any website to any computer with no
>>>>>> control by
>>>>>> the user.
>>>>> I never said it could.
>>>>>
>>>>>
>>>> You intimated that any browser would pass along your logon name to any
>>>> website which requested it. And I'm saying this is NOT the case.
>>> No, if you read me again you may notice that I explained "This is a
>>> multi-step protocol. The user name is only passed to the server in the
>>> last step, if the previous steps succeed."
>>>
>> That's correct. But you never iterated exactly what those steps are,
>> did you. Leaving people to assume that they can get the logon id from
>> any system.
>
> That is just you jumping to conclusions about something I never said.
>
>

Nope, that's YOU leaving out very important information.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex RemoveThis @attglobal.net
==================
 >> Stay informed about: Capturing Windows Login Name 

So... does anyone know how to capture windows login name?

BTW, dont we have moderators here?
This ego fight is not of my interest. And I guess no one here have
interest on that.
 >> Stay informed about: Capturing Windows Login Name