$_server['auth_user']

hs1

Hello,

I've found several PHP server-variables (phpinfo()), which contents the actual domain and username of the actual user (e.g. $_SERVER['AUTH_USER']=domain\username) on a WindowsXP Client.

What I want to do is to set up a kind of Single-Sign-On-Website. A user, which could then authenticated automatically, should be able to change his own entries in a telephone book, but not these of other people, as an example...

How can I trust the content of this variable? Where comes that information from?
Can a normal user change this?

At least, what I want to really know: Is there a secure way to retrieve the information of the currently logged on user from the client computer?

Thanks for your help.

Hannes

zabmilenko

If your users are plain internet visitors, then obtaining information about them from the client side is not polite. Some people call that spyware.

PHP_AUTH_USER tells the username of the person who signed in using http basic authentication. This is a username and password sent over the internet in cleartext, making it possible (though relatively rare) that someone can spoof it using a sniffer.

AUTH_USER by itself, iirc, is for the person who started the web server. Sometimes, in my php_info dumps, I see the sudoer who started the web server (sudo apachectl start). You can't trust the value of this variable. If you are running a phpinfo from a testing server on your own network, it is likely you are seeing this information match domain login credentials (probably provided by a IIS server).

hs1

I want to set up this in a dedicated intranet environment, not reachable for internet visitors. I want to authenticate the retrieved username against an active directory controller located in our network.

PHP_AUTH_USER:
Did every client sign up to the webserver via basic authentication?
And where did the webserver get's the user information from? Maybe from the Computers environment variables?
Or is it just a feature in the phpinfo()-function which does this authentication?

SSL should solve the sniff&spoof issue 😉

AUTH_USER:
Your'e right, I'm using an IIS server and I also started it myself.

Again my question: Is there a secure way to retrieve the username of the currently logged on user from the client computer?

zabmilenko

PHP_AUTH_USER is populated by PHP from values that are continually provided by the browser in the headers. They will exist if the user sees a browser popup asking for a username and password to access whatever it is they are trying to access.

Wikipedia has good things to say about basic authentication: http://en.wikipedia.org/wiki/Basic_authentication_scheme

For your purposes it won't quite work unless you want your users logging in twice.

First, this only will work with Internet Explorer. The settings for Local Intranet zone must be as lenient as possible, and allow scripting of activex controls. This has to be done on every machine you want to grant this access to.

You will have to use Javascript to load the value and somehow pass it to the server (maybe Ajax):

<script type="text/javascript">
    var wshobj = new ActiveXObject("WScript.Network");
    var username = wshobj.UserName;
</script>

username will then have the info you need.

As far as I know, there is absolutely no guaranteed way to do it server side. This is the best workaround I could come across, and is kind of considered a hack.

Good luck.