Page 1 of 1

Newbie Problem: problem with HTTP authentication

Posted: Mon Aug 08, 2005 10:07 am
by alsvider
I took the following code from PHP manual, but it doesn't work. Anyone has idea? I am running in Fedora Core 3, and my PHP is 4.3.11, Apache is 2.0.53-3.2.

Code: Select all

<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>

feyd | you're new, so I'll go light for now.. please use

Code: Select all

tags when posting php code.[/color]

Posted: Mon Aug 08, 2005 10:09 am
by s.dot
What is the error it is producing?

Posted: Mon Aug 08, 2005 10:12 am
by feyd
make sure the code is placed before any output is sent to the browser.

see more...

Posted: Mon Aug 08, 2005 10:26 am
by alsvider
I placed the above code in a separate file, that is all of the file. There is no error returned, just blank page.

Posted: Mon Aug 08, 2005 10:29 am
by feyd
are you absolutely sure there's nothing before that code? no blank lines outside of the php tags, no echo's.. nothing?

Posted: Mon Aug 08, 2005 10:29 am
by pickle
Try commenting out the 401 header line. Your browser my be getting stuck on that and not outputing the text it should.

Posted: Mon Aug 08, 2005 11:07 am
by alsvider
I tried in another machine, it works. But I am thinking ie or firefox keep the authentication for a while, if login again immediately , the prompt windows will not come out. Am I right?

Posted: Mon Aug 08, 2005 11:28 am
by alsvider
thx guys!

Posted: Mon Aug 08, 2005 11:51 am
by pickle
Horribly enough, IE handles this properly while FF doesn't (in my opinion). As long as a window is open, Firefox caches authentication credentials. So, as long as the current window is open and someone has authenticated, $_SERVER['PHP_AUTH_PW'] will exist. With the logic displayed on php.net, this will allow users to get in without needing to authenticate.

IE doesn't do this. It never stores PHP_AUTH_PW beyond the next page load. So, someone coming in after the fact won't be able to get in using someone else's credentials.