From 0bde60cbacd036c6babfda8ac327e02f482ab3d8 Mon Sep 17 00:00:00 2001 From: Martin Kraemer Date: Fri, 1 Jun 2001 12:51:38 +0000 Subject: [PATCH] Various fixes: * (en/de only): add two notes about correct spelling of HTTP headers, and about the AuthType directive (which must not be set for PHP auth). * (all): fix spelling (realm="double quoted string, not single"), use "Basic" with uppercase B, and remove the duplicate spaces which made the example unusable (and were copied to most translations). git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@49031 c90b9560-bf6c-de11-be94-00142212c4b1 --- features/http-auth.xml | 63 ++++++++++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 21 deletions(-) diff --git a/features/http-auth.xml b/features/http-auth.xml index ca08581023..d05a37bc52 100644 --- a/features/http-auth.xml +++ b/features/http-auth.xml @@ -8,7 +8,7 @@ Header function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, - the URL containing the PHP script will be called again with the variables, + the URL containing the PHP script will be called again with the variables, $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE set to the user name, password and authentication type respectively. Only "Basic" authentication is supported at this point. See the Header @@ -35,6 +35,16 @@ + + Note + + Please be careful when coding the HTTP header lines. In order to guarantee maximum + compatibility with all clients, the keyword "Basic" should be written with an + uppercase "B", the realm string must be enclosed in double (not single) quotes, + and exactly one space should precede the "401" code in the "HTTP/1.0 401" header line. + + + Instead of simply printing out the $PHP_AUTH_USER and $PHP_AUTH_PW, you would probably want to check the username and @@ -42,7 +52,7 @@ or by looking up the user in a dbm file. - Watch out for buggy Internet Explorer browsers out there. They +z Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick @@ -56,6 +66,17 @@ page. In this case, the $REMOTE_USER variable can be used to identify the externally-authenticated user. + + Configuration Note + + PHP uses the presence of an AuthType directive + to determine whether external authentication is in effect. + Remember to avoid this directive for the context where you want to + use PHP authentication (otherwise each authentication attempt + will fail). + + + Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from @@ -71,26 +92,25 @@ HTTP Authentication example forcing a new name/password <?php - function authenticate() { - Header( "WWW-authenticate: basic realm=\"Test Authentication System\""); - Header( "HTTP/1.0 401 Unauthorized"); - echo "You must enter a valid login ID and password to access this resource\n"; - exit; + function authenticate() { + Header( "WWW-Authenticate: Basic realm=\"Test Authentication System\""); + Header( "HTTP/1.0 401 Unauthorized"); + echo "You must enter a valid login ID and password to access this resource\n"; + exit; + } + + if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 && !strcmp($OldAuth, $PHP_AUTH_USER)) ) { + authenticate(); + } + else { + echo "Welcome: $PHP_AUTH_USER<BR>"; + echo "Old: $OldAuth"; + echo "<FORM ACTION=\"$PHP_SELF\" METHOD=POST>\n"; + echo "<INPUT TYPE=HIDDEN NAME=\"SeenBefore\" VALUE=\"1\">\n"; + echo "<INPUT TYPE=HIDDEN NAME=\"OldAuth\" VALUE=\"$PHP_AUTH_USER\">\n"; + echo "<INPUT TYPE=Submit VALUE=\"Re Authenticate\">\n"; + echo "</FORM>\n"; } - - if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 && !strcmp($OldAuth, $PHP_AUTH_USER)) ) { - authenticate(); - } - else { - echo "Welcome: $PHP_AUTH_USER<BR>"; - echo "Old: $OldAuth"; - echo "<FORM ACTION=\"$PHP_SELF\" METHOD=POST>\n"; - echo "<INPUT TYPE=HIDDEN NAME=\"SeenBefore\" VALUE=\"1\">\n"; - echo "<INPUT TYPE=HIDDEN NAME=\"OldAuth\" VALUE=\"$PHP_AUTH_USER\">\n"; - echo "<INPUT TYPE=Submit VALUE=\"Re Authenticate\">\n"; - echo "</FORM>\n"; - -} ?> @@ -107,6 +127,7 @@ Also note that this does not work using Microsoft's IIS server and the CGI version of PHP due to a limitation of IIS. +