Page 1 of 1

Authentication - PHP_AUTH_USER / PW don't get set

Posted: Thu Aug 07, 2003 10:07 am
by mary-ann
Hi,
I'm using the following code to try to get user authentication working. However, when I try to load the page, I just get the user name/password box popping up over and over again, regardless of the user name and password I've put in.
I've narrowed it down to the fact that $PHP_AUTH_USER and $PHP_AUTH_PW don't get set. "register_globals" is "On", according to my hosting company's website (I tried using $_SERVER['PHP_AUTH_USER'] etc. instead anyway, but it made no difference).
Can anyone help me out here?

Thanks,
M-A

Code: Select all

<?php
if ((!isset($PHP_AUTH_USER)) or (!isset($PHP_AUTH_PW)))
{
	header("WWW-Authenticate: Basic realm="my realm"");
	header("HTTP/1.0 401 Unauthorized");
	echo "Please log in to access this area of the site.\n";
	exit;
}
else
{
	$query="SELECT STR_Pass FROM tbl_Authenticate WHERE STR_UID='".$PHP_AUTH_USER."'";
	$result = mysql_query($query) or die("Query failed.");
	$authenticated=0;
	while ($row=mysql_fetch_array($result,MYSQL_ASSOC))
	{
		##loop through all possible users with that UID.
		if (crypt($PHP_AUTH_PW ,$row["STR_Pass"]) == $row["STR_Pass"])
		{
			$authenticated=1;
		}
	}
	if ($authenticated==0)
	{
		header("WWW-Authenticate: Basic realm="".$realm.""");
		header("HTTP/1.0 401 Unauthorized");
		echo "Wrong user / password\n";
		exit;
	}
}

?>

Posted: Thu Aug 07, 2003 10:21 am
by m3rajk
are you surre they didn't say that to have you go away? i'd be suprised if professional hosting companies keep it on since it was discovered to be a security hole.

find out what version of php it it. that will help. there's signifigant security changes int he default set up between pre and post 4.1.0

Posted: Thu Aug 07, 2003 10:26 am
by mary-ann
Their version of PHP is "4.3.2 (CGI version)".

Even if "register_globals" isn't on, wouldn't using $_SERVER['PHP_AUTH_USER'] instead have fixed the problem?

Posted: Thu Aug 07, 2003 10:31 am
by m3rajk
it should have. and 4.3.2 is late enough to default to off, so expect they were just trying to get you to shut up.

i'd think they wont help you here.

i wish i could help you, but i'm relatively new to php myself

Posted: Thu Aug 07, 2003 11:08 am
by mary-ann
Ah-hah - I've just found out that PHP_AUTH_* won't work with the CGI version of PHP, which is what's apparently installed. As I understand this page, that means that it won't even work with $_SERVER['PHP_AUTH_USER'].

So it looks like I'll have to abandon my attempt to use PHP for authentication, and stick to password-protected directories instead.

Strange, though, as the sample code I tried to use came from someone who's with the same web hosting company... oh, well.

Posted: Thu Aug 07, 2003 11:10 am
by m3rajk
problaby has a dedicated server with it specified not to be a cgi but rather stand on it's own