diff --git a/features/http-auth.xml b/features/http-auth.xml
index ca08581023..d05a37bc52 100644
--- a/features/http-auth.xml
+++ b/features/http-auth.xml
@@ -8,7 +8,7 @@
Header function to send an "Authentication Required"
message to the client browser causing it to pop up a Username/Password
input window. Once the user has filled in a username and a password,
- the URL containing the PHP script will be called again with the variables,
+ the URL containing the PHP script will be called again with the variables,
$PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE set to the user
name, password and authentication type respectively. Only "Basic"
authentication is supported at this point. See the Header
@@ -35,6 +35,16 @@
+
+ Note
+
+ Please be careful when coding the HTTP header lines. In order to guarantee maximum
+ compatibility with all clients, the keyword "Basic" should be written with an
+ uppercase "B", the realm string must be enclosed in double (not single) quotes,
+ and exactly one space should precede the "401" code in the "HTTP/1.0 401" header line.
+
+
+
Instead of simply printing out the $PHP_AUTH_USER and
$PHP_AUTH_PW, you would probably want to check the username and
@@ -42,7 +52,7 @@
or by looking up the user in a dbm file.
- Watch out for buggy Internet Explorer browsers out there. They
+z Watch out for buggy Internet Explorer browsers out there. They
seem very picky about the order of the headers. Sending the
WWW-Authenticate header before the
HTTP/1.0 401 header seems to do the trick
@@ -56,6 +66,17 @@
page. In this case, the $REMOTE_USER variable can be used to
identify the externally-authenticated user.
+
+ Configuration Note
+
+ PHP uses the presence of an AuthType directive
+ to determine whether external authentication is in effect.
+ Remember to avoid this directive for the context where you want to
+ use PHP authentication (otherwise each authentication attempt
+ will fail).
+
+
+
Note, however, that the above does not prevent someone who
controls a non-authenticated URL from stealing passwords from
@@ -71,26 +92,25 @@
HTTP Authentication example forcing a new name/password
<?php
- function authenticate() {
- Header( "WWW-authenticate: basic realm=\"Test Authentication System\"");
- Header( "HTTP/1.0 401 Unauthorized");
- echo "You must enter a valid login ID and password to access this resource\n";
- exit;
+ function authenticate() {
+ Header( "WWW-Authenticate: Basic realm=\"Test Authentication System\"");
+ Header( "HTTP/1.0 401 Unauthorized");
+ echo "You must enter a valid login ID and password to access this resource\n";
+ exit;
+ }
+
+ if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 && !strcmp($OldAuth, $PHP_AUTH_USER)) ) {
+ authenticate();
+ }
+ else {
+ echo "Welcome: $PHP_AUTH_USER<BR>";
+ echo "Old: $OldAuth";
+ echo "<FORM ACTION=\"$PHP_SELF\" METHOD=POST>\n";
+ echo "<INPUT TYPE=HIDDEN NAME=\"SeenBefore\" VALUE=\"1\">\n";
+ echo "<INPUT TYPE=HIDDEN NAME=\"OldAuth\" VALUE=\"$PHP_AUTH_USER\">\n";
+ echo "<INPUT TYPE=Submit VALUE=\"Re Authenticate\">\n";
+ echo "</FORM>\n";
}
-
- if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 && !strcmp($OldAuth, $PHP_AUTH_USER)) ) {
- authenticate();
- }
- else {
- echo "Welcome: $PHP_AUTH_USER<BR>";
- echo "Old: $OldAuth";
- echo "<FORM ACTION=\"$PHP_SELF\" METHOD=POST>\n";
- echo "<INPUT TYPE=HIDDEN NAME=\"SeenBefore\" VALUE=\"1\">\n";
- echo "<INPUT TYPE=HIDDEN NAME=\"OldAuth\" VALUE=\"$PHP_AUTH_USER\">\n";
- echo "<INPUT TYPE=Submit VALUE=\"Re Authenticate\">\n";
- echo "</FORM>\n";
-
-}
?>
@@ -107,6 +127,7 @@
Also note that this does not work using Microsoft's IIS server and
the CGI version of PHP due to a limitation of IIS.
+