Questions About HTTP Headers Sent With PHP In HTTP Authentication
Here is an example from the PHP Manual
<?php
if ((!isset($_SERVER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button'
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>
Questions.
1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.
View Complete Forum Thread with Replies
Related Forum Messages:
HTTP Authentication With PHP
I have followed 3 different tutorials and none of them seem to work. When I use the following code in the beginning of my PHP script: if (!isset($PHP_AUTH_USER)) { header('WWW-Authenticate: Basic realm="Datacenter"'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.' exit; } and I attempt to access the script I get the error: "Error 500: Internal Server Error" I reset the permissions to 755 and still no luck. I then, out of frustration created a .htaccess file and tried every possible combination, particularly in the UserAuthFile. I have tried, UserAuthFile [path]/myscritp.php4 UserAuthFile /dev/null/ I have also tried deleting the line alltogether and what happens in all these cases is that the box comes up but when I enter the info it does not send the variable to the script. If you have any information I would really appreciate it. I could even send you the script to look at the full code if it would help.
View Replies !
HTTP Authentication
I spent quite some time comming up with a suitable, yet basic HTTP Authentication script. I think it works for what I am doing, yet would like some opinions on it, the bads, the worse's and sure, even the goods ;0) I have a logon for the directory call "widgets". This directory contains semi-sensitive materials, that the general public doesn't need to see. So I have a list of files here: index.php -- where thbase of my authentication is include.inc -- an include file, hidden way high up in my server root, above the web root and accessible only with administrative privileges. This file contains my usernames and passwords in comma seperated values ie John,hispass. and the rest of my files widgets1.php widgets2.php widgets3.php widgets4.php widgets5.php .. etc index.php contains the following code: ...........
View Replies !
Http-get And Headers
I am looking to write code that can read a file from an http address (for example: http://www.somesite.com/document.xml) and check it for any changes (an updated state) then download it if it is a newer version. I have seen references to the http-get functionality of PHP , but can't find any examples or tutorials. Apparently I can check some http headers to determine whether the document is new or not? Can anyone direct me to some help on this issue?
View Replies !
Http Headers
[x-posted here and there] Excuse me if this is OT here. I'm trying to find out what would happen if I append my: Content-Type: application/x-javascript Content-Length: nnn <javascript data> To an http answer in transit. 1) Does appending such a thing to an http answer which already has it's own content-type and length headers and data, is allowed ? 2) How would a typical browser understand it ? Would it just ignore it ? If the answer to (1) is "no": what would you suggest to do ? I've thought of capturing the stream, and creating multi-part. The first part would be the captured one, and the second - the data I want to append. Does it seem as a good scheme to you ?
View Replies !
HTTP Authentication .vs. Session Authentication
I am designing a PHP application (yes, I have investigated using existing applications). I cannot use HTTPS for reasons I shall not disclose. I must authenticate users against a database (MySQL) before granting them access. There are two methods I am considering: HTTP authentication, and session authentication. My webpage is spread across multiple scripts, and the user must not have to repeatedly reauthenticate him/herself. It does not matter, however, if the login session remains or is destroyed when the browser closes, although destruction is preferred. To my knowledge, PHP only supports Basic HTTP authentication. This would be easier, and if it matches session authentication in security, I would prefer to use it. Session authentication would be accomplished via a hashed password supplied in a form, sent via POST, after which the userid or another identifying piece of data would be stored in a session variable. My webserver does host other websites, and I cannot adjust its configuration. It seems to me, however, that Basic HTTP authentication sends the username and password in plaintext at the opening of every page. Is this true?
View Replies !
HTTP Authentication For A Directory
I have kept HTTP authentication for a directory, there by preventing others to access the directory. But I want to access the directory thru a PHP script. Now how can I do it? R there any special functions available?
View Replies !
Safemode And Http Authentication
I am concerned about the following statement in php doc on http://www.php.net/manual/en/features.http-auth.php ----- sschippp ----- As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER']. Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. ----- sschnapp ------ I have to use safemode on, and I want to secure a set of pages (i.e. single files, not a whole dir) with simple "basic" authentication through a webbrowser. Questions: 1.So what is in detail an "external authentication" - is it a authentication through my browser or something else?! 2. If I understood it correct, above php 4.3 and safemode on PHP_AUTH_USER and PHP_AUTH_PW will not be available - so how to check for the right password within my script?! I am still using 4.3.1, so far my script works, but under 4.3?!
View Replies !
Http Authentication Problem
((!isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))) { header( 'WWW-Authenticate: Basic realm="Private"' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.' exit; } else { echo "You entered $PHP_AUTH_USER for a username.<BR>"; echo "You entered $PHP_AUTH_PW for a password.<BR>"; }
View Replies !
CURL And HTTP Authentication...???
I've got the following: <?php $url = "my_url"; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_USERPWD, "my_username:my_password"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_URL, $url); $xmlResponse = curl_exec($ch); curl_close($ch); ?> The response I'm getting back is simply: <h1>Bad Request</h1> When I type my_url directly into a web browser a un/pw dialog pops up and when i use my_username and my_password it displays the XML on the screen as expected. Also, I have an ASP script that is currently working just fine hitting this same URL with the same credentials.
View Replies !
HTTP Authentication To A Script?
Anyone mind helping me add some HTTP authentication to a script? I read the tutorial on here, but it still doesn't make much sense as the author never displayed the final code (I'm a visual kinda guy).
View Replies !
URL Login With HTTP Authentication
I've taken over a site that uses HTTP Header authentication to control access; so in the security page we have: <snip> if ((!isset($PHP_AUTH_USER)) && (!$nologin) ) { header('WWW-Authenticate: Basic realm="Congress User Account Editor"'); header('HTTP/1.0 401 Unauthorized'); : : : </snip> If the above condition is not fired then the system runs a database query on PHP_AUTH_USER and PHP_AUTH_PW to check for a valid login. Code:
View Replies !
CGI And HTTP Headers Error
My PHP script produce an intermittent CGI error. The sequence of events is: 1- User load page A to login 2- Submit page A redirect (with the PHP funciton header("Location: http://www.mydomaine.com/mydir/b.php") to page B. 3- About 20% of the time I got the error: "The specified CGI application misbehaved by not returning a complete set of HTTP headers." 4- "Refresh" afterward shows the page without error. I tried to find a difference between a correctly loaded page B and one that generate an error and I cannot find one. It realy doesn't seem to be linked to the sequence of action the user is doing.
View Replies !
HTTP Headers With POST?
How do I display all of the POST headers? What I want to see is all information related to a POSTed file and it's attributes, sort of like this: POST /file.php?var=value HTTP/1.0 Host: www.domain.com:80 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=xxxxx Content-Description: form-data-1 Content-Disposition: inline; filename=file.txt Content Length:1221......
View Replies !
Suppressing HTTP Headers
I need to take complete control of the HTTP responses, and I don't want PHP to intervene and send its ones in front of mine etc. Is there any way of telling PHP NOT to send any headers and instead give me complete responsibility for generating the correct response?
View Replies !
Date From HTTP Headers
I've got a PHP script that's using fopen to connect to a remote web server and pick up data. I've run into a problem in calculating elapsed time. The remote web server outputs a time and I'd like to calculate the difference between that time and the current time. The problem is that the time on the remote server isn't in sync with the time on my server (off by about 5 minutes) and this throws off the elapsed time calculations. I know that the server's date/time are included in the HTTP headers, ex: Date: Sat, 27 Mar 2004 01:25:25 GMT So, I'm wondering if there's an easy way to grab that date from the remote server so that the calculations are more accurate.
View Replies !
Different HTTP Request Headers
While writing an affiliate program I'd like to be able to recognise whether a request comes from a real "click" on an ad or from a "generated request" within say an <iframe></iframe> or <object></object> tag. Is there any technical means to distinguish this in PHP? I had a very close look at the $_SERVER superglobal, but could not spot any difference. Any way to do this, maybe even outside of PHP, examining the complete request header?
View Replies !
Fetching RAW Http Headers
php`s getallheaders() works for apache only,however i want a solution for IIS,i want to fetch all raw http response headers for my application. how can i do this on IIS and php4.3?
View Replies !
Remote Http Headers
I'm looking for a way to check the http headers of a remote site via a php script. I found a site which is running such a script so it must be possible.
View Replies !
Dump All HTTP Headers
Does anyone know the PHP-command to dump all HTTP-headers that is generated by a visiting browser/terminal? I take it is something incredibly simple (i.e. $_SERVER[HTTP_ALL]), that somehow managed to slip my mind.
View Replies !
HTTP Headers Issue
I'm trying to duplicate in php some html code that automatically submits a form to login to a site, and I think I'm having trouble creating the proper http headers. Here's the html code: Code: <html> <body onload="document.koc.submit();"> <form action="http://www.kingsofchaos.com/login.php" method="post" name=koc> <input type="hidden" name="usrname" value="me"> <input type="hidden" name="uemail" value="email@email.com"> <input type="hidden" name="peeword" value="funkynumber"> </form> </body> </html>.....
View Replies !
Http Authentication On A Linux Web Server
I've been running the following authentication in php on a linux web server. I'm trying to move it to a web server on a Windows machine running Omnihttpd. It isn't working. Any ideas? <?php if(!isset($PHP_AUTH_USER)) { Header("WWW-Authenticate: Basic realm="Hardware Review""); Header("HTTP/1.0 401 Unauthorized"); echo "You are not authorized to view this pagen"; exit; } else { if ($PHP_AUTH_USER!="hardware"| |$PHP_AUTH_PW!="Speed0") { Header("HTTP/1.0 401 Unauthorized"); echo "You are not authorized to view this pagen"; exit; } } ?>
View Replies !
HTTP Authentication With Multiple Attempts
I have used the simple example of HTTP Authentication from the PHP website as follows: <?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button' exit; } else { My authentication code here } ?> At the moment, if the user gets it wrong they are locked-out until they restart their browser.However, I want the user to have, say, five attempts before being locked-out. I guess I need a counter so that I can unset($_SERVER['PHP_AUTH_USER']; if there are any attempts remaining, but I can't work out a way to make the counter persistent across attempts.
View Replies !
Basic HTTP Authentication Logout?
I am using a server which required Basic HTTP Authentication. I want a way to somehow log the user out? Is this possible? I realise with this kind of authentication the browser just keeps repeating the username and password everytime the user requests a new page, but is there a way to force the browser to forget these?
View Replies !
$_SERVER['PHP_AUTH_USER'] And Http Authentication
I would like to be able to get the user name, which the visitor uses to log in with during a normal http authentication (.htaccess and .htpasswd)... this should be possible through $_SERVER['PHP_AUTH_USER'] but i can't seem to get it working. Here is what I am currently testing with (before implementing it in the real thing): Code:
View Replies !
Handling HTTP Basic Authentication
I have a PHP script rss.php that serves RSS to clients. It work fine, but I'd like to server customized contents, and for this, I need to know who the user is. Unless there's a better way, it looks like the easiest way is to use HTTP basic authentication: http://en.wikipedia.org/wiki/Basic_...tication_scheme So I figure I should have a section in the script that starts with prompts for a login/passwd, then fetch contents with a customized SELECT, and format it as RSS before sending the output to the RSS client. Has someone written this before and could share some tips/code?
View Replies !
HTTP Authentication Bypassing Login
I've have some folder that are password protected with htaccess files and htpasswd files. On users that own the folders I want them to be able to view without having to login when they view files in that folder. I thought that it may be possible by setting $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW'] variables but it doesn't seem to work.
View Replies !
Avoid The Login Prompt From HTTP Authentication?
is there anyway to set a user/pass in php to avoid the login prompt from HTTP authentication? even if you use it in a htaccess file? PHP Code: $_ENV['REMOTE_USER'] = $_SERVER['PHP_AUTH_USER'] = $_ENV['PHP_AUTH_USER'] = $rows["user_name"]; $_ENV['PHP_AUTH_PW'] = $_SERVER['AUTH_PASSWORD'] = $_SERVER["PHP_AUTH_PW"] = $rows["user_passwd"]; that doesn't seem to work. I am thinking those can only be set by actually logging in at the login prompt.
View Replies !
PHP Http Authentication - Cannot Secure Entire Directories?
I've been trying out HTTP authentication with PHP (yes I've read the Zend tutorial, searched the forum, and read the manual). Things seem to work great. However I have noticed that is does not work like a .htaccess file would. Only the PHP script which sends the headers will check for anything. No very useful for blocking out a whole directory tree. I wanted to move away from just using a .htaccess so that I could authenticate the passwords over a MySQL database. The current setup has an index.php in the directory that is to be protected. It checks for password, then initializes a session and forwards the user to the protected section. Each script in the protected section checks if valid session exists, and if not, forwards back to the main index.php to HTTP authenticate again. This seems to work fine except I'm afraid of one day forgetting to check for the session or people accessing non PHP files that are in the protected directory. My question is, is there a way to combine PHP based http authentication with a .htaccess file? Or somehow have an entire directory be authenticated through one script. And the other concern is that if I do have the entire directory protected and go through that one PHP script somehow, wouldn't it have to check the l/p with MySQL every time they accessed any file?
View Replies !
Using 'localhost' With Apache 1.3 HTTP Basic Authentication?
I'm configuring a PHP script to use HTTP Basic Authentication. Thus, is it possible to test basic authentication using 'localhost'? If so, could someone send me a working .htaccess file because the following doesn't seem to launch the login dialog: AuthType Basic AuthName "TEST HOST" AuthUserFile C:/wwwroot/testhost/passwd/.htpasswd AuthGroupFile /dev/null <Limit Get> Require valid-user Order allow,deny Deny from all Satisfy all </Limit>
View Replies !
Completely Automated Login (http Authentication)?
We want to be able to get into a password-protected directory with php completely automated, and therefor avoid the http_authentication login-box. (and stay logged in) So in short: automated http_authentication runtime login with php. Can this be done? Is there a script/example out there for this?
View Replies !
HTTP Authentication Fails After Version Upgrade
Upgraded from PHP~4.3 to PHP5.2, and my app broke because $_SERVER['PHP_AUTH_USER'] is not being populated. The 'PHP_AUTH_PW' index is blank also. I've read that the population of these two particular keys is dependent on the server, but the server type/version did not change (Apache 2.0.52). How can I get these back? Or where I can find replacements? I'm open to using MySQL for the job (that's where the .htaccess list comes from anyways. but I could not get the MySQL auth method to work before. I'll need hand-holding.
View Replies !
Client Side HTTP Digest Authentication
I'm trying to retrieve the contents of a URL using file_get_contents($url). The problem is that the URL is protected via *HTTP Digest Authentication*. Is there any php library that can handle all the necessary headers during the request, or do I have to do it manually ?
View Replies !
Today.php Test Error. HTTP Headers
Trying to install on xp pro with IIS. Have mysql working. I tested it with the tutorial for installing from this forum. When I open the test script, today.php I get "The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are"' and theres is nothing after that but a black page. The today.php consists of <HTML><HEAD><TITLE>Today's Date</TITLE></HEAD><BODY><P>Today's Date (according to this Web server) is<?php echo( date("l, F dS Y.") ); ?></BODY></HTML> Ive been over and over the php.ini and my.ini and cant figure it out.
View Replies !
Warning: Fopen(http://localhost/.. ?HTTP Wrapper Does Not Support Writeable Conn
I am able to create a pdf using php and ezpdf, its works fine, and display the pdf document in the current server page. But here are two things i wish to do, first store the pdf and than open, if possible in a new popup window? When i tried this function below, it gives me an error Error: Warning: fopen(http://localhost/pdf/files/tmp1/yasmina.pdf) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections. in C:Program FilesxampphtdocspdfpdfClassesAndFonts_009ecertificate.php on line 139 Could not open file to save PDF. Code:
View Replies !
Prevent Http Headers In Command Line Scripts
i know theres GOT to be a way to prevent PHP from sending http headers, but i cant for the life of me find it. for example, if i run a php script from the command line it starts with: X-Powered-By: PHP/4.2.1 Content-type: text/html i need to suppress that. output buffering doesnt work. i found references in the manual suggesting it's possible, but cant find out how it's possible. any ideas?
View Replies !
Why Do Some HTTP Headers Show Up In $_SERVER? Why Not $_GET Or $_POST ?
I noticed this odd PHP function in an article about AJAX and Prototype: Prototype adds a custom HTTP header to all its AJAX requests so that your server application can detect that it's an AJAX call, rather than a normal call. The header is: X-Requested-With: XMLHttpRequest Here's an example PHP function used to detect an AJAX call: function isAjax() { return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER ['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' Most of the AJAX calls I've seen are GET or POST, so I expect them to show up in the $_GET or $_POST arrays. Why would this header show up in the $_SERVER array?
View Replies !
Server HTTP Sends Or Streaming HTTP?
I was wondering if you guys had any ideas to constantly stream a webpage in case an announcement was posted or possibly pushing onto the browser information. What I basically want is for a user browsing my website to be notified of any new announcements. I thought about checking everytime he changes pages but then I realized that I want them to be notified as long as they have the page open even if it's minimized. So it would at best be a method to use php force send a msg after someone posts an announcement.
View Replies !
301 Redirect With PHP Http:// To Http://www.
I'm trying to redirect http://domainname.com to http://www.domainname.com using a 301, on all pages, that means it needs to go in the header file... Here's the code I have: Quote# <?php # if(!stristr($_SERVER["HTTP_HOST"], 'www')){ # header("HTTP/1.1 301 Moved Permanently"); # header("Location: http://www.domainname.com/" . $_SERVER["REQUEST_URI"]); # exit(); # } # ?> The only thing is that it redirects every page to http://www.domainname.com/... including http://www.domainname.com/ How do I fix this? What's the solution? I'm assuming there's some more code that needs to go into it. The host doesn't allow me to do this in the htaccess file.
View Replies !
Can't Include 'http...foo.php', But Can Include 'http...foo.txt'
This seems weird, but when I use the following code, include 'http://www.foo.com/includes.php' includedfunction(); I am told that it is a call to an undefined function, but 'includedfunction' is on the server. the following includes work fine, and the run the called function with no trouble: include 'http://www.foo.com/includes.phtml' include 'http://www.foo.com/includes.txt' all three include.php,.phtml & .txt are on the server and are exactly identical. I am running php version 4.1.1.
View Replies !
HTTP Error And Parse Error - I Get HTTP, Friend Gets Parse :S
I have just finished making a script, which basically updates a users account depending on what button they pressed on the previous page, everything looks fine to me, but when I click a button, I get a big HTTP error page, but the strange thing is, when my friend press's a button, he gets a parse error. Code:
View Replies !
Using Headers To Pass Through Authentication
I must make a post to a site that is protected with basic authentication. I have tryed many different variations on the (PHP) header command to try and supply the login with my details automatically and pass straight through, the most recent being: header('Location: XXXXXX); $userpass = base64_encode("USER:PASS"); header('Authorization: Basic $userpass') where I'm going wrong because that login form just keeps popping up!
View Replies !
|
TRACKER
