HTTP Authentication Header Problems

[authorandrew]

Hello,
I'm working with PHP and trying to protect my web page with an authentication header.

On my page I want protected I have the following code:

PHP Code:

<?php
    require_once('authorize.php');
?>

This references my authorize.php file, which looks as follows:

PHP Code:

<?php
  // User name and password for authentication
  $username = 'user';
  $password = 'pass';

  if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
    ($_SERVER['PHP_AUTH_USER'] != $username) || ($_SERVER['PHP_AUTH_PW'] != $password)) {
    // The user name/password are incorrect so send the authentication headers
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Basic realm="Application"');
    exit('<h2>Application Error</h2>Sorry, you must enter a valid user name and password to access this page.');
  }
?>

Even when I use the correct username/password ('user' and 'pass'), the page just pops another log in box at me. I've double-checked my code and can't find any errors. Why is this happening?

Andrew

[authorandrew]

Is there no way to fix this? I really need it to work for this application. I have double and triple-checked the code and can find NO reason for it to be doing this.

Andrew

[Fou-Lu]

print_r($_SERVER) and scroll through the list. Does it include the PHP_AUTH_USER and PHP_AUTH_PW?
Also, make sure you move the header for the 401 before the WWW-Authenticate, and you may need to move that to a 1.0 instead of 1.1.

[authorandrew]

The print $_SERVER does not include PHP_AUTH_PW or PHP_AUTH_USER - how can I fix that?

Thank you so much!
Andrew

[authorandrew]

I think I've isolated the fact that the problem is somewhere in my web server's config files. I've looked about a bit on how to modify php.ini but as I'm not the only one on this server I definitely want to know what I'm doing before going ahead.

Andrew

[Fou-Lu]

This hasn't a thing to do with PHP. The only thing it does is ask for the auth to be provided to it in the form of PHP_AUTH_USER, PHP_AUTH_PW, and potentially a digest.
Basic authentication is otherwise handled completely by Apache. That is why you are pushing the headers in PHP, not performing any work for it.

[authorandrew]

So the problem is with the way Apache is configured on my server?

Andrew

[authorandrew]

How can I go about fixing that? Andrew

[Fou-Lu]

That would be modified in the httpd.conf, but now that I think of it that should only apply if you're using an htpasswd file which defeats the purpose of using PHP at all.

wait, are you on an IIS or Apache server? Run this and post the results, use whatever you want for the username and password, preferably something that doesn't authenticate:

PHP Code:

<?php
session_start();
if (!isset($_SESSION['hastried']))
{
    $_SESSION['hastried'] = true;
    header('HTTP/1.0 401 Unauthorized');
    header('WWW-Authenticate: Basic realm="Log In"');
    die('Log in required.');
}

printf('<pre>%s</pre>', print_r($_SERVER, true));
?>

That looks like it should work. Try that.

[djm0219]

If Apache is configured to use PHP as CGI/FastCGI the authentication variables will not be available. If you are on a shared server there is probably little to no chance that your provider will change that for you.

Only the native Apache handler for PHP is able to supply those variables for you.

[authorandrew]

I am on Apache, Fou-Lu.

Here are the results that were printed when I entered an incorrect user/password:

Code:

Array
(
    [PATH] => /bin:/usr/bin:/sbin:/usr/sbin
    [RAILS_ENV] => production
    [FCGI_ROLE] => RESPONDER
    [UNIQUE_ID] => ToSbzq3snBoAAG-YjxcAAAAO
    [SCRIPT_URL] => /school/PHP/viewprofile.php
    [SCRIPT_URI] => http://labs.mosaic-web.com/school/PHP/viewprofile.php
    [dsid] => 18864019
    [ds_id_18864019] => 
    [DH_USER] => authorandrew
    [HTTP_HOST] => labs.mosaic-web.com
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5
    [HTTP_ACCEPT_ENCODING] => gzip, deflate
    [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [HTTP_DNT] => 1
    [HTTP_CONNECTION] => close
    [HTTP_REFERER] => http://labs.mosaic-web.com/school/PHP/
    [HTTP_COOKIE] => __utma=30777507.1973461634.1317081408.1317230661.1317310823.4; __utmz=30777507.1317081408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94229248.1549258222.1317308350.1317308350.1317308350.1; __utmb=94229248.48.10.1317308350; __utmc=94229248; __utmz=94229248.1317308350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=30777507; PHPSESSID=cp7sab2l4ut8rtt7rur884hv06
    [SERVER_SIGNATURE] => 
    [SERVER_SOFTWARE] => Apache
    [SERVER_NAME] => labs.mosaic-web.com
    [SERVER_ADDR] => 173.236.175.47
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => 69.40.3.35
    [DOCUMENT_ROOT] => /home/authorandrew/labs.mosaic-web.com
    [SERVER_ADMIN] => webmaster@labs.mosaic-web.com
    [SCRIPT_FILENAME] => /home/authorandrew/labs.mosaic-web.com/school/PHP/viewprofile.php
    [REMOTE_PORT] => 60634
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /school/PHP/viewprofile.php
    [SCRIPT_NAME] => /school/PHP/viewprofile.php
    [PHP_SELF] => /school/PHP/viewprofile.php
    [REQUEST_TIME] => 1317313486
    [argv] => Array
        (
        )

    [argc] => 0
)

@djm: I didn't understand your sentence, sorry. I am not on a shared server so much as I'm borrowing server space from a friend, thus I could possibly change things if I talked to him.

Thank you both for your help!
Andrew

[Fou-Lu]

You can still make a CGI work, it just takes more hoops to jump through.
Modify an applied .htaccess file, or create a new one in your directory root and add this:

Code:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

Next, modify your code and pull from the newly defined environment:

PHP Code:

<?php
session_start();
if (isset($_SERVER['HTTP_AUTHORIZATION']))
{
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
}

if (!isset($_SESSION['hastried']))
{
    $_SESSION['hastried'] = true;
    header('HTTP/1.0 401 Unauthorized');
    header('WWW-Authenticate: Basic realm="Log In"');
    die('Log in required.');
}

printf('<pre>%s</pre>', print_r($_SERVER, true));

Try again. Does the entered username and password now show up in PHP_AUTH_USER and PHP_AUTH_PW?

[authorandrew]

The usernames and password now show up in that printed list. Can I simply remove that print call and now use things as normal?

Andrew

[Fou-Lu]

Quote:

Originally Posted by authorandrew

The usernames and password now show up in that printed list. Can I simply remove that print call and now use things as normal?

Andrew

Yes. You just need to add this:

PHP Code:

if (isset($_SERVER['HTTP_AUTHORIZATION']))
{
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
} 


Before the 'if' branch in your initial code. That will extract the variables as you need.

[authorandrew]

OK; thank you so much!

Andrew