Page 1 of 1

HTTP Authentication

Posted: Thu Nov 18, 2004 7:32 pm
by irishmike2004
Greetings:

I am new to PHP programming and running PHP 5.0.2 on a mac ontop of apache 1.3 and been trying to implement the standard HTTP authentication code to use in a member only section in a very simple configuration, in other words the complete authentication will happen on the PHP page.

I have seen much code, but it doesn't seem to work in FireFox 1.0 which is my browser of choice. The target audience for the site is mac users and wanted to see if I could get some help fixing this or a better method for work around. The code I had available was:

Code: Select all

<?php
if ((!isset($PHP_AUTH_USER)) || 
    (!isset($PHP_AUTH_PW)) || 
    ($PHP_AUTH_USER != "guest") || 
    ($PHP_AUTH_PW != "guest"))
&#123;
    header('WWW-Authenticate: Basic realm="Private Area"');
    header("HTTP/1.1 401 Unauthorized");
    print "This page requires authorisation.";
    exit();
&#125;
else
&#123;
    print "You're through to the secret page, was the effort worth it?";
&#125; 
?>
This page if you enter guest just re-spawns the login box... ideally we would make the page with a form and the authentication would happen from our form. Any Help is REALLY appreciated.

Posted: Thu Nov 18, 2004 10:34 pm
by Weirdan
use $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] instead of $PHP_AUTH_USER and $PHP_AUTH_PW respectively. Additional information: http://www.php.net/manual/en/security.globals.php

Posted: Thu Nov 18, 2004 10:53 pm
by irishmike2004
Thanks, same result with those variables... read the page no help. Still where I was though.

Posted: Thu Nov 18, 2004 11:04 pm
by Weirdan
irishmike2004 wrote:Thanks, same result with those variables... read the page no help. Still where I was though.
use this code:

Code: Select all

header('WWW-Authenticate: Basic realm="Private Area"');
    header("HTTP/1.1 401 Unauthorized");
    print "This page requires authorisation.";
    echo '<pre>';
    var_dump($_SERVER);
    echo '</pre>';
and when it asks for password second time press 'Cancel' and copy what it yields. Post the output here and then we'll be able to help you, perhaps.

Server Dump per Request

Posted: Thu Nov 18, 2004 11:26 pm
by irishmike2004
Here is the output requested:

Code: Select all

This page requires authorization.

array(31) &#123;
  &#1111;"DOCUMENT_ROOT"]=>
  string(28) "/Library/WebServer/Documents"
  &#1111;"HTTP_ACCEPT"]=>
  string(99) "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
  &#1111;"HTTP_ACCEPT_CHARSET"]=>
  string(30) "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
  &#1111;"HTTP_ACCEPT_ENCODING"]=>
  string(12) "gzip,deflate"
  &#1111;"HTTP_ACCEPT_LANGUAGE"]=>
  string(14) "en-us,en;q=0.5"
  &#1111;"HTTP_CONNECTION"]=>
  string(10) "keep-alive"
  &#1111;"HTTP_HOST"]=>
  string(9) "127.0.0.1"
  &#1111;"HTTP_KEEP_ALIVE"]=>
  string(3) "300"
  &#1111;"HTTP_USER_AGENT"]=>
  string(87) "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20041001 Firefox/0.10.1"
  &#1111;"PATH"]=>
  string(71) "/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices"
  &#1111;"REMOTE_ADDR"]=>
  string(9) "127.0.0.1"
  &#1111;"REMOTE_PORT"]=>
  string(5) "59256"
  &#1111;"SCRIPT_FILENAME"]=>
  string(35) "/Users/jmikeneedham/Sites/login.php"
  &#1111;"SCRIPT_URI"]=>
  string(61) "http://j-mike-needhams-computer.local/~jmikeneedham/login.php"
  &#1111;"SCRIPT_URL"]=>
  string(24) "/~jmikeneedham/login.php"
  &#1111;"SERVER_ADDR"]=>
  string(9) "127.0.0.1"
  &#1111;"SERVER_ADMIN"]=>
  string(18) "&#1111;no address given]"
  &#1111;"SERVER_NAME"]=>
  string(30) "j-mike-needhams-computer.local"
  &#1111;"SERVER_PORT"]=>
  string(2) "80"
  &#1111;"SERVER_SIGNATURE"]=>
  string(82) "
Apache/1.3.29 Server at j-mike-needhams-computer.local Port 80

"
  &#1111;"SERVER_SOFTWARE"]=>
  string(32) "Apache/1.3.29 (Darwin) PHP/5.0.2"
  &#1111;"GATEWAY_INTERFACE"]=>
  string(7) "CGI/1.1"
  &#1111;"SERVER_PROTOCOL"]=>
  string(8) "HTTP/1.1"
  &#1111;"REQUEST_METHOD"]=>
  string(3) "GET"
  &#1111;"QUERY_STRING"]=>
  string(0) ""
  &#1111;"REQUEST_URI"]=>
  string(24) "/~jmikeneedham/login.php"
  &#1111;"SCRIPT_NAME"]=>
  string(24) "/~jmikeneedham/login.php"
  &#1111;"PATH_TRANSLATED"]=>
  string(35) "/Users/jmikeneedham/Sites/login.php"
  &#1111;"PHP_SELF"]=>
  string(24) "/~jmikeneedham/login.php"
  &#1111;"PHP_AUTH_USER"]=>
  string(5) "guest"
  &#1111;"PHP_AUTH_PW"]=>
  string(5) "guest"
&#125;

Posted: Thu Nov 18, 2004 11:38 pm
by Weirdan

Code: Select all

<?php
if ((!isset($_SERVER['PHP_AUTH_USER'])) ||
    (!isset($_SERVER['PHP_AUTH_PW'])) ||
    ($_SERVER['PHP_AUTH_USER'] != "guest") ||
    ($_SERVER['PHP_AUTH_PW'] != "guest"))
{
    header('WWW-Authenticate: Basic realm="Private Area"');
    header("HTTP/1.1 401 Unauthorized");
    print "This page requires authorisation.";
    exit();
}
else
{
    print "You're through to the secret page, was the effort worth it?";
}
?>
should work.

Posted: Fri Nov 19, 2004 6:10 am
by irishmike2004
It worked... Thanks for the help :-)