Authentication - PHP_AUTH_USER / PW don't get set

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mary-ann
Forum Newbie
Posts: 3
Joined: Thu Aug 07, 2003 10:07 am

Authentication - PHP_AUTH_USER / PW don't get set

Post by mary-ann »

Hi,
I'm using the following code to try to get user authentication working. However, when I try to load the page, I just get the user name/password box popping up over and over again, regardless of the user name and password I've put in.
I've narrowed it down to the fact that $PHP_AUTH_USER and $PHP_AUTH_PW don't get set. "register_globals" is "On", according to my hosting company's website (I tried using $_SERVER['PHP_AUTH_USER'] etc. instead anyway, but it made no difference).
Can anyone help me out here?

Thanks,
M-A

Code: Select all

<?php
if ((!isset($PHP_AUTH_USER)) or (!isset($PHP_AUTH_PW)))
{
	header("WWW-Authenticate: Basic realm="my realm"");
	header("HTTP/1.0 401 Unauthorized");
	echo "Please log in to access this area of the site.\n";
	exit;
}
else
{
	$query="SELECT STR_Pass FROM tbl_Authenticate WHERE STR_UID='".$PHP_AUTH_USER."'";
	$result = mysql_query($query) or die("Query failed.");
	$authenticated=0;
	while ($row=mysql_fetch_array($result,MYSQL_ASSOC))
	{
		##loop through all possible users with that UID.
		if (crypt($PHP_AUTH_PW ,$row["STR_Pass"]) == $row["STR_Pass"])
		{
			$authenticated=1;
		}
	}
	if ($authenticated==0)
	{
		header("WWW-Authenticate: Basic realm="".$realm.""");
		header("HTTP/1.0 401 Unauthorized");
		echo "Wrong user / password\n";
		exit;
	}
}

?>
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

are you surre they didn't say that to have you go away? i'd be suprised if professional hosting companies keep it on since it was discovered to be a security hole.

find out what version of php it it. that will help. there's signifigant security changes int he default set up between pre and post 4.1.0
mary-ann
Forum Newbie
Posts: 3
Joined: Thu Aug 07, 2003 10:07 am

Post by mary-ann »

Their version of PHP is "4.3.2 (CGI version)".

Even if "register_globals" isn't on, wouldn't using $_SERVER['PHP_AUTH_USER'] instead have fixed the problem?
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

it should have. and 4.3.2 is late enough to default to off, so expect they were just trying to get you to shut up.

i'd think they wont help you here.

i wish i could help you, but i'm relatively new to php myself
mary-ann
Forum Newbie
Posts: 3
Joined: Thu Aug 07, 2003 10:07 am

Post by mary-ann »

Ah-hah - I've just found out that PHP_AUTH_* won't work with the CGI version of PHP, which is what's apparently installed. As I understand this page, that means that it won't even work with $_SERVER['PHP_AUTH_USER'].

So it looks like I'll have to abandon my attempt to use PHP for authentication, and stick to password-protected directories instead.

Strange, though, as the sample code I tried to use came from someone who's with the same web hosting company... oh, well.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

problaby has a dedicated server with it specified not to be a cgi but rather stand on it's own
Post Reply