Re: Capturing Windows Login Name

on 02/03/2008 05:19 PM Jerry Stuckle said the following:
NTLM is a more secure authentication protocol than Basic because
passwords are never sent to the server and it saves the users from the
annoyance of typing their user names and passwords again.

I am well aware of how it works because I implemented the SASL PHP
library, that among other protocols supports NTLM.

http://www.phpclasses.org/sasl

So what? I'm quite aware how it works, also.

It is used by HTTP, POP3, SMTP client classes to access servers of
these
protocols under Intranets that require NTLM authentication:

http://www.phpclasses.org/httpclient

http://www.phpclasses.org/pop3class

http://www.phpclasses.org/smtpclass

Gee, more of your lame classes?

I have an hard time understanding why you need to be so hostile and
depart to personal insult against a person that did nothing against you.

I just presented examples on which NTLM authentication is used. I do not
use Windows. I just use Linux, but I studied NTLM and other
authentication protocols in depth to add support to them by request of
the users of those classes.

It is not really relevant, but those classes are quite popular and well
rated as you may check in Freshmeat. Regardless of what you think, they
address needs of many tens of thousands of PHP developers.


And there are thousands of programmers who depend on register_globals,
short_open_tags and insecure formmail scripts. Popularity does not
indicate quality.

You conviniently ignored the fact that I said those classes are also
well rated.

Many PHP developers know the quality of my work. I don't need to prove
it here. But coincidentaly, I was recently invited to speak in the Zend
Developer zone in one of their podcasts. It was just released and it
talks precisely about one of the classes I mentioned above.

http://devzone.zend.com/article/3049-PHP-Abstract-Podcast-Episode-34-Streams-Abstraction

The transcript is here:

http://www.phpclasses.org/blog/post/74-A-PHP-killer-feature--Streams-abstraction.html

Please be serious, trying to hummiliate me and minimize the quality of
my work in a public forum like this, only speaks against your
credibility and reputation. If you value your reputation and credibility
you may want to rethink what you say against others.


Seeing you calling them lame, I assume that you either do not know the
classes and/or just want again to turn a pure technical thread into a
personal attack full of free insults from your part.


You're the one who brought them up as examples of your "proficiency".
You don't like my opinion of them? Guess what. Tough tootsies.

I (and probably anybody else here) do not care about your opinion when
your intention is to be hostile and minimize my work based on ill
feelings from you just like you expressed. If you don't know how to
respect and disagree with people without being hostile, it is not going
to be me that is going to teach you. Hate speech and hostility from you
or anybody, for me is end of thread.


Anyway, if trying to insult me is your intention, nevermind, I am not
going to follow-up. If you insist with the insulting tone, rest assured
that I will leave you talking to the walls.




If the authentication succeeds, the server allows the access of
whatever
page (including PHP scripts).

This is a multi-step protocol. The user name is only passed to the
server in the last step, if the previous steps succeed.

The idea is to not make the user enter the same password again to
access
a site under the same Windows controller domain, after he has
logon on
his Windows machine account that belongs to the same Windows domain.

But it cannot be done by any website to any computer with no
control by
the user.
I never said it could.


You intimated that any browser would pass along your logon name to any
website which requested it. And I'm saying this is NOT the case.

No, if you read me again you may notice that I explained "This is a
multi-step protocol. The user name is only passed to the server in the
last step, if the previous steps succeed."


That's correct. But you never iterated exactly what those steps are,
did you. Leaving people to assume that they can get the logon id from
any system.

That is just you jumping to conclusions about something I never said.




--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
.

Relevant Pages

  • Re: Capturing Windows Login Name
    ... annoyance of typing their user names and passwords again. ... that among other protocols supports NTLM. ... server in the last step, ... a site under the same Windows controller domain, ...
    (comp.lang.php)
  • RE: Is this as bad as it seems?
    ... > (if php or perl are allowed (or any active content), ... All this means is that if a web hosting user does the following: ... This is only harmful if you have an unpatched vulnerability on your server ... ban ftp, always use ssh, regularly expire passwords, use strong passwords ...
    (Security-Basics)
  • Re: Question on password visibilty?
    ... >I have been learning PHP on my own time and have an Apache server on my ... >server someday, the examples in my books seem to be wide open to the world. ... >Most use an HTML form that calls a separate php program. ... My solution is to put the passwords in an include ...
    (comp.lang.php)
  • Re: Newbie - how best to create a password-protected page
    ... The php sections will be parsed by the server and the only output ... > passwords unless one had access to the server, and if you have that then ... so from the browser, and the browser only has what the server sends it (and ...
    (comp.lang.php)
  • RE: [PHP] LDAP password question
    ... I was actually wondering if the PHP implementation of an LDAP client ... Q. Why am I getting poor performance with Windows 2003 Server? ... Microsoft figured out that plain text passwords aren't a good thing ...
    (php.general)