authorization error in apache and php

Anon

I posted yesterday and haven't been able to get much help. If you know what to do please take a sec to help.

this is my script:

$loginPage = "./zlogin.php?myAccount=Login";
if (!isset($PHP_AUTH_USER) || $Unauthorized)
{
$realm = "MyPHPStore_".time();
Header("WWW-Authenticate: Basic realm=\"$realm\"");
Header("Status: HTTP/1.0 401 Unauthorized");
print "<h1>401 Unauthorized</h1>Unable to authorize you. Please <a href=\"$loginPage\">click here</a> to try again.";
exit;
}
else
{
include("./dbconnect.php");
$query = "select * from MY_TABLE where adminName = '$PHP_AUTH_USER' and adminPass = '$PHP_AUTH_PW'";
$mysql_result = mysql_query($query, $mysql_link);

if(mysql_affected_rows() == 0)
{
header("Location: ".$loginPage."&Unauthorized=1");
exit();
}
else
{
while($row = mysql_fetch_row($mysql_result))
{
$userID = $row[0];
}
}
}

I keep getting the 401 error and no popup. If i change the header line to (Status: 401 unauthorized) I get the popup but it doesn't work. Please help. I've also seenit written ('HTTP/1.1 401 unauthorized') but that doesn't work either. Am i supposed to configure something in apache or in the php.ini files? if you know what it is that i'm supposed to change please help.

theslinky

Hi,

I posted a reply to this yesterday and either you did see it, you didn't try the solution, or you replied and I didn't see your reply.

In any case, I'll explain the problem and give you the detailed solution.

First of all: you need to change that line to Header("Status: HTTP/1.1 401 Unauthorized"); You NEED the status... it's the ... right way :-)

Second of all, you need to let apache give you permission to allow http authentications. If you use webmin (www.webmin.com), configuring apache is easy and I can let you know what to click and set (post here again).

BUT: this is how you configure it by hand. In your httpd.conf file, add this line inside the Directory handler:

<Directory "/directory/to/your/auth/script">
Options ExecCGI (etc, etc... blah blah)
<b>AllowOverride AuthConfig</b>
</Directory>

Or if you want to allow all types of overrides, use "AllowOverride All".

If you use virtual servers, make sure you put those lines inside the virtual server config.

Now, restart apache (i'm not sure a SIGHUP would do the trick). Then reload the page. Usually you'll have to QUIT your browser and take it out again so that it doesn't load from cache.

Here is my sample script you can try AFTER you fix the apache configuration:

<?php

if ((!isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))) {

header( 'WWW-Authenticate: Basic realm="Private"' );
Header("Status: HTTP/1.1 401 Unauthorized");
echo 'Authorization Required.';
exit;

} else {

echo "You entered $PHP_AUTH_USER for a username.<BR>";
echo "You entered $PHP_AUTH_PW for a password.<BR>";

}

-sridhar

Anon

Or database drive your authentication and skip the htaccess issues with apache altogether... I use the following at the top of the pages I want to secure:

<?
$auth = false;
if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {
mysql_connect( 'localhost', 'user', 'pass' )
or die ( 'Unable to connect to server.' );
mysql_select_db( 'authdb' )
or die ( 'Unable to select database.' );
$sql = "SELECT * FROM users WHERE user = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'";

$result = mysql_query( $sql )
or die ( 'Unable to execute query.' );
$num = mysql_numrows( $result );
if ( $num != 0 ) {
$auth = true;
}
}
if (!$auth) {
header('WWW-Authenticate: Basic realm="Secure Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Doh! You need Authorization to view this area!<p>Please contact the Administrator for access requests.';
exit;

mysql_free_result($result);
mysql_close($connection);

} else {
The rest of your page below...

Hope that might give you some new direction...

theslinky

Right, but I think his problem is getting the box to appear in the first place.

In any case, i usually prefer DB auth versus http auth because my clients have reported on some browsers they are not able to authenticate (IE 3.0, NS2.0 and some old versions of other browsers). I doubt what they say is true because it has worked for me, but I would rather make them happy then argue about it :-)

-sridhar

Anon

yeah.. I have to dumb down my applications considerably for where I work. Makes for intuiative code, but a pain the ass sometimes.

As for the Apache config, I didn't have to do anything special that I can remember to get the php auth box to appear for db authentication... =/

Anon

dang!!! I can't get it work 🙁

here's what I got:

DocumentRoot "C:/Program Files/Apache Group/Apache/htdocs"
<Directory "C:/Program Files/Apache Group/Apache/htdocs">
Options FollowSymLinks
AllowOverride All AuthConfig
</Directory>
<Directory "C:/Program Files/Apache Group/Apache/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride All AuthConfig
Order allow,deny
Allow from all
</Directory>

I've tried rewriting this a million different ways (well not quite a million)

PS I did get you post yesterday. I've just been working on it all night and trying to do research. Not getting anywhere though

i used the php code you gave as a trial

Anon

YEAH! he said it right. I can't get the stupid box to show up.

I hate this thing!

Never have problems with much of anything. this is so frustrating

Anon

ooooooooooooohhh... winders... ick... no wonder. Well, I'm out on this one. I've never had good luck setting up apache+php on a windows box.

Anon

it's already set up. Just can't get the dang box to open 😛

theslinky

To tell you the truth, I'm running php w/ IIS and I can't get the box to load on mine either!

It only works for me in apache w/ linux.

but don't give up yet. I'll look for some solutions later on and e-mail you or post.

BTW: can I access your server online? Or are you running this on your personal computer behind a firewall?

Let me know the URL.

What i'll do is get the raw HTTP data from your server and see if the right headers are coming through. We can then see whether it's a browser problem or server problem.

-sridhar

Anon

By the way I REALLY appreciate all the help your giving me:

Ok, i'm not sure if this is what you want. but the sample code you gave me is running at:

www.tripletproducts.net/ztest.php

Anon

do you want a copy of my apache config file to look at? would that help you?

at this point I am dumbfounded

I've done all sorts of searches on the web for answers and i've seen many similar problems but no answers

so confusing

theslinky

Yeah, please e-mail me a copy of it: sridhar@theslinky.com

Here is the RAW data i got from your server:

HTTP/1.1 HTTP/1.0 401 Unauthorized
Date: Thu, 18 Jul 2002 16:13:47 GMT
Server: Apache/1.3.20 (Win32)
WWW-Authenticate: Basic realm="Private"
X-Powered-By: PHP/4.1.1
Connection: close
Content-Type: text/html

Authorization Required.

This is the data I get from MY server:

HTTP/1.1 401 Authorization Required
Date: Thu, 18 Jul 2002 16:17:39 GMT
Server: Apache/1.3.26 (Unix) PHP/4.2.1 mod_ssl/2.8.10 OpenSSL/0.9.6d
X-Powered-By: PHP/4.2.1
WWW-Authenticate: Basic realm="Private"
Status: HTTP/1.1 401 Unauthorized
Connection: close
Content-Type: text/html

Authorization Required.

I have a feeling the first header in your server "HTTP/1.1 HTTP/1.0 401 Unauthorized" is malformed....

-sridhar

theslinky

E-mail me the ztest.php script as well (AS-IS).

-sridhar

Anon

yeah. but like i said in one of my first posts. if i write it like this:

Header("Status: 401 unauthorized");

and leave out the HTTP/1.1 then the screen pops up but no matter what i put in the box, it keeps popping up.

i'll send you the config file in a few mins.

Anon

Prerequisites
The $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE global variables are only available when PHP is installed as a module. If you're using the CGI version of PHP, you will be limited to Web server-based authentication or other custom types of authentication (such as using HTML forms) to match passwords in a database.

Anon

yeah. I read that from several places. php.net for one and zend.com

how do i tell how php is installed. It did not come with apache if that's what it means.

I installed as separate programs and through apache's config file and php.ini i have them linked.

Anon

<? phpinfo() ?> --> info.php