[RESOLVED] PHP_AUTH_USER again

xblue

Hi all,

quite a few weeks after moving to a new server, I realized that I am no longer able to access $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW']. I think I should have tested the relevant scripts right after moving, however I am not 100% positive that I really did.

Even the simplest examples like

if (!isset($_SERVER['PHP_AUTH_USER'])){
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "Hello {$_SERVER['PHP_AUTH_USER']}.";
    echo "You entered {$_SERVER['PHP_AUTH_PW']} as your password.";
}

fail.

I am aware that these variables will not be available when running PHP as CGI process, but I am almost sure that it is running as apache module.

First question now: Are there ways to verify how PHP is installed other than phpinfo() (which the admin disabled for security reasons) or asking him (which I would not want to do unless it is my only choice)? I have very limited access to the files on the server, seems like I am locked away from configuration files like httpd.conf.

Thank you for any pointers,
m

NogDog

You could use the [man]php_sapi_name[/man] function to get the interface type.

xblue

Aiii, NogDog, thank you for the quick and helpful reply! I have come across some functions like that would not be available in CGI mode in the meantime, and they already indicated what php_sapi_name now confirmed: it is CGI PHP which means I have to think of something to get the user authentification done.

NogDog

Don't know if this would be any help or not, but you could take a look at the flat-file login script I put together some time ago. (I put it together for someone who couldn't -- or maybe wouldn't? -- use a database.) It might give you some ideas, even if you want to convert it to use a database (which I'd recommend).

xblue

Hi NogDog,

thank you, but the task I was facing was a little different.

I had 3 areas of a website, one of which was to be protected in a htaccess-like way (for consistancy reason). There were no directories for the different areas, they were only simulated by rewrite rules, like
RewriteRule ^{(area1|2nd_area|private)/([a-zA-Z0-9]*)$} /index.php?dir=$1&p=$2

Thus I could not make use of htaccess here, and used to have php do the user validation within that index.php script using $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'].

What I ended up with is
- creating a directory "private" has normal password protection with htaccess
- adding a rewrite rule to this htaccess
(RewriteRule ^[a-zA-Z0-9]$ /index.php?dir=private&p=$0)
- taking the private area out of the general rewrite rule in the root directory
(RewriteRule ^{(area1|2nd_area)/([a-zA-Z0-9]})$ /index.php?dir=$1&p=$2)

This seems to work out quite well as the user authentication is processed prior to the rewriting at least on my server.

I am aware that this protection is somewhat weaker as anyone who is able to guess the real URL index.php?dir=private&p=xy would be able to skip the authentication alltogether. To reduce this risk, I have index.php at least validate the user name via $_SERVER['REMOTE_USER']. Still by no ways bulletproof, but sufficient for the security level these contents need.

Thanks again,
m

dream_scape

xblue wrote:
To reduce this risk, I have index.php at least validate the user name via $_SERVER['REMOTE_USER'].

You might be able to get all the info out of $_SERVER['REMOTE_USER'].

Here is a nice little trick I use to generate $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] on systems that don't actually support them, but do send the authorization info in another variable:

// attempt to support PHP_AUTH_USER & PHP_AUTH_PW if they aren't supported in this SAPI
//   known SAPIs that do support them:  apache, litespeed
function setup_php_http_auth() {
	if ((PHP_SAPI === 'apache') || (PHP_SAPI === 'litespeed') || isset($_SERVER['PHP_AUTH_USER'])) {
		return;
	}

foreach (array('HTTP_AUTHORIZATION', 'AUTHORIZATION', 'REMOTE_USER') as $key) {
	if (isset($_SERVER[$key]) && !empty($_SERVER[$key])) {
		list($type, $encoded) = explode(' ', $_SERVER[$key]);
		break;
	}
}

if (!isset($type) || ($type !== 'Basic')) {
	return;
}

list($user, $pass) = explode(':', base64_decode($encoded));
$_SERVER['PHP_AUTH_USER'] = $user;
$_SERVER['PHP_AUTH_PW'] = $pass;
}

xblue

Thank you, dream.scape. Did that work out for you in all cases? On my server, HTTP_AUTHORIZATION and AUTHORIZATION are not set, and REMOTE_USER contains the user name and only the user name.