Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
  1. #1
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts

    HTTP Authentication Header Problems

    Hello,
    I'm working with PHP and trying to protect my web page with an authentication header.

    On my page I want protected I have the following code:
    PHP Code:
    <?php
        
    require_once('authorize.php');
    ?>
    This references my authorize.php file, which looks as follows:

    PHP Code:
    <?php
      
    // User name and password for authentication
      
    $username 'user';
      
    $password 'pass';

      if (!isset(
    $_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
        (
    $_SERVER['PHP_AUTH_USER'] != $username) || ($_SERVER['PHP_AUTH_PW'] != $password)) {
        
    // The user name/password are incorrect so send the authentication headers
        
    header('HTTP/1.1 401 Unauthorized');
        
    header('WWW-Authenticate: Basic realm="Application"');
        exit(
    '<h2>Application Error</h2>Sorry, you must enter a valid user name and password to access this page.');
      }
    ?>
    Even when I use the correct username/password ('user' and 'pass'), the page just pops another log in box at me. I've double-checked my code and can't find any errors. Why is this happening?

    Andrew

  • #2
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    Is there no way to fix this? I really need it to work for this application. I have double and triple-checked the code and can find NO reason for it to be doing this.

    Andrew

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    print_r($_SERVER) and scroll through the list. Does it include the PHP_AUTH_USER and PHP_AUTH_PW?
    Also, make sure you move the header for the 401 before the WWW-Authenticate, and you may need to move that to a 1.0 instead of 1.1.

  • Users who have thanked Fou-Lu for this post:

    authorandrew (09-28-2011)

  • #4
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    The print $_SERVER does not include PHP_AUTH_PW or PHP_AUTH_USER - how can I fix that?

    Thank you so much!
    Andrew

  • #5
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    I think I've isolated the fact that the problem is somewhere in my web server's config files. I've looked about a bit on how to modify php.ini but as I'm not the only one on this server I definitely want to know what I'm doing before going ahead.

    Andrew

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    This hasn't a thing to do with PHP. The only thing it does is ask for the auth to be provided to it in the form of PHP_AUTH_USER, PHP_AUTH_PW, and potentially a digest.
    Basic authentication is otherwise handled completely by Apache. That is why you are pushing the headers in PHP, not performing any work for it.

  • #7
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    So the problem is with the way Apache is configured on my server?

    Andrew

  • #8
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    How can I go about fixing that? Andrew

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    That would be modified in the httpd.conf, but now that I think of it that should only apply if you're using an htpasswd file which defeats the purpose of using PHP at all.

    wait, are you on an IIS or Apache server? Run this and post the results, use whatever you want for the username and password, preferably something that doesn't authenticate:
    PHP Code:
    <?php
    session_start
    ();
    if (!isset(
    $_SESSION['hastried']))
    {
        
    $_SESSION['hastried'] = true;
        
    header('HTTP/1.0 401 Unauthorized');
        
    header('WWW-Authenticate: Basic realm="Log In"');
        die(
    'Log in required.');
    }

    printf('<pre>%s</pre>'print_r($_SERVERtrue));
    ?>
    That looks like it should work. Try that.

  • #10
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,294
    Thanks
    4
    Thanked 203 Times in 200 Posts
    If Apache is configured to use PHP as CGI/FastCGI the authentication variables will not be available. If you are on a shared server there is probably little to no chance that your provider will change that for you.

    Only the native Apache handler for PHP is able to supply those variables for you.
    Dave .... HostMonster for all of your hosting needs

  • #11
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    I am on Apache, Fou-Lu.

    Here are the results that were printed when I entered an incorrect user/password:
    Code:
    Array
    (
        [PATH] => /bin:/usr/bin:/sbin:/usr/sbin
        [RAILS_ENV] => production
        [FCGI_ROLE] => RESPONDER
        [UNIQUE_ID] => ToSbzq3snBoAAG-YjxcAAAAO
        [SCRIPT_URL] => /school/PHP/viewprofile.php
        [SCRIPT_URI] => http://labs.mosaic-web.com/school/PHP/viewprofile.php
        [dsid] => 18864019
        [ds_id_18864019] => 
        [DH_USER] => authorandrew
        [HTTP_HOST] => labs.mosaic-web.com
        [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
        [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        [HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5
        [HTTP_ACCEPT_ENCODING] => gzip, deflate
        [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
        [HTTP_DNT] => 1
        [HTTP_CONNECTION] => close
        [HTTP_REFERER] => http://labs.mosaic-web.com/school/PHP/
        [HTTP_COOKIE] => __utma=30777507.1973461634.1317081408.1317230661.1317310823.4; __utmz=30777507.1317081408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94229248.1549258222.1317308350.1317308350.1317308350.1; __utmb=94229248.48.10.1317308350; __utmc=94229248; __utmz=94229248.1317308350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=30777507; PHPSESSID=cp7sab2l4ut8rtt7rur884hv06
        [SERVER_SIGNATURE] => 
        [SERVER_SOFTWARE] => Apache
        [SERVER_NAME] => labs.mosaic-web.com
        [SERVER_ADDR] => 173.236.175.47
        [SERVER_PORT] => 80
        [REMOTE_ADDR] => 69.40.3.35
        [DOCUMENT_ROOT] => /home/authorandrew/labs.mosaic-web.com
        [SERVER_ADMIN] => webmaster@labs.mosaic-web.com
        [SCRIPT_FILENAME] => /home/authorandrew/labs.mosaic-web.com/school/PHP/viewprofile.php
        [REMOTE_PORT] => 60634
        [GATEWAY_INTERFACE] => CGI/1.1
        [SERVER_PROTOCOL] => HTTP/1.1
        [REQUEST_METHOD] => GET
        [QUERY_STRING] => 
        [REQUEST_URI] => /school/PHP/viewprofile.php
        [SCRIPT_NAME] => /school/PHP/viewprofile.php
        [PHP_SELF] => /school/PHP/viewprofile.php
        [REQUEST_TIME] => 1317313486
        [argv] => Array
            (
            )
    
        [argc] => 0
    )
    @djm: I didn't understand your sentence, sorry. I am not on a shared server so much as I'm borrowing server space from a friend, thus I could possibly change things if I talked to him.

    Thank you both for your help!
    Andrew

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    You can still make a CGI work, it just takes more hoops to jump through.
    Modify an applied .htaccess file, or create a new one in your directory root and add this:
    Code:
    <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
    </IfModule>
    Next, modify your code and pull from the newly defined environment:
    PHP Code:
    <?php
    session_start
    ();
    if (isset(
    $_SERVER['HTTP_AUTHORIZATION']))
    {
        list(
    $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':'base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
    }

    if (!isset(
    $_SESSION['hastried']))
    {
        
    $_SESSION['hastried'] = true;
        
    header('HTTP/1.0 401 Unauthorized');
        
    header('WWW-Authenticate: Basic realm="Log In"');
        die(
    'Log in required.');
    }

    printf('<pre>%s</pre>'print_r($_SERVERtrue));
    Try again. Does the entered username and password now show up in PHP_AUTH_USER and PHP_AUTH_PW?

  • Users who have thanked Fou-Lu for this post:

    authorandrew (09-29-2011)

  • #13
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    The usernames and password now show up in that printed list. Can I simply remove that print call and now use things as normal?

    Andrew

  • #14
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by authorandrew View Post
    The usernames and password now show up in that printed list. Can I simply remove that print call and now use things as normal?

    Andrew
    Yes. You just need to add this:
    PHP Code:
    if (isset($_SERVER['HTTP_AUTHORIZATION']))
    {
        list(
    $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':'base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

    Before the 'if' branch in your initial code. That will extract the variables as you need.

  • #15
    New Coder
    Join Date
    May 2010
    Posts
    79
    Thanks
    8
    Thanked 0 Times in 0 Posts
    OK; thank you so much!

    Andrew


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •