I have use $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] in all my PHP application on Apache server. But I have this client that wants to run a PHP application on a Windows server to be able to use an ASP.Net application. All the php seems to run fine except for the authentication.
Is there another way to use $_SERVER['PHP_AUTH_USER'] on a windows server?
Thanks,
Erick
Can you provide more details? I have used $_SERVER['PHP_AUTH_USER'] under windows quite successfully.
Is there any more detail you can provide? What seems to be the problem, and, can you post a small code snippet as to where you are using PHP_AUTH_USER?
Below is a quick & dirty way to use it (I am using under Windows 2000)
I keep this in a separate file and include it at the very TOP of every page (as it outputs headers) that I wish to protect.
<?php
$auth_user = "admin";
$auth_pass = "let_me_in2";
// Using static values instead of XML / Database user storage, for example only
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if ($user == $auth_user && $pass == $auth_pass) {
$validated = true;
echo "Thanks for logging in...";
} // end if
if (!$validated) {
header('WWW-Authenticate: Basic realm="My Protected Area"');
header('HTTP/1.0 401 Unauthorized');
die('Incorrect Password');
} // end if
?>
I'm running it on Windows Server 2003.
Here is part of my code, it looks quite similar to yours. But it was working on Apache, it just stop working when used on windows server 2003.
$validated = false;
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
$usr = $_SERVER['PHP_AUTH_USER'];
$pwd = $_SERVER['PHP_AUTH_PW'];
$sql = "select * from users where user_id = $usr";
$result = mysql_query($sql,$conn) or die(mysql_error());
if(mysql_num_rows($result) == 1)
{
$password = mysql_result($result,0,'password');
if ($password == $pwd)
{
$validated = true;
}
}
}
if (!$_SESSION['LOGGEDIN'])
{
header('WWW-Authenticate: Basic realm="Daydream Realty Admin"');
header('HTTP/1.0 401 Unauthorized');
}
else
{
//The rest of code
}
A few suggestions,
I can't see that you have session_start() anywhere, assuming you have it in there, try changing
if (!$_SESSION['LOGGEDIN'])
// to
if ($validated)
I don't see in the code where after validation you set the "LOGGEDIN" to be true, i.e.
session_start();
if ($password == $pwd)
{
$validated = true;
$_SESSION['LOGGEDIN'] = true;
}
Let me know if this works...
I made the changes, this is how the codes looks now. Still it doesn't work.
session_start();
$validated = false;
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
$usr = $_SERVER['PHP_AUTH_USER'];
$pwd = $_SERVER['PHP_AUTH_PW'];
$sql = "select * from users where user_id = $usr";
$result = mysql_query($sql,$conn) or die(mysql_error());
if(mysql_num_rows($result) == 1)
{
$password = mysql_result($result,0,'password');
if ($password == $pwd)
{
$validated = true;
$_SESSION['LOGGEDIN'] = true;
}
}
}
if (!$validated)
{
header('WWW-Authenticate: Basic realm="Daydream Realty Admin"');
header('HTTP/1.0 401 Unauthorized');
}
Okay,
Do you see the login request screen?
Something like http://phpreview.files.wordpress.com/2008/02/login.jpg
??
Yes, but for some reason it seems like is not validating.
I added this to the code and still it doesn't work when I try it.
if($usr == "user" && $pwd = "password")
{
$validated = true;
$_SESSION['LOGGEDIN'] = true;
}
Okay, lets do some debugging...
if (!$result or !is_resource($result)) {
die("Error with SQL: ".mysql_error());
}
if(mysql_num_rows($result) == 1)
{
$password = mysql_result($result,0,'password');
if ($password == $pwd)
{
$validated = true;
$_SESSION['LOGGEDIN'] = true;
}
} else {
echo "Number of Rows Retrieved: ";
echo mysql_num_rows($result);
}
What we are trying to do is see how many rows are being pulled, i.e. is it accidently taking 2 rows somehow?, as well if tehre is any SQL syntax errors.
I tried but didn't get anything in return.
I did some debugging myself and aparently it is not entering this if:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
So that must be the problem
Try Putting @ the top of the page:
echo $_SERVER['PHP_AUTH_USER'];
echo $_SERVER['PHP_AUTH_PW'];
// or see all server var's
printf("<pre>%s</pre>",print_r($_SERVER,true));
Once you enter it wrong 3 times or even once (then press ESC) you should see the output of what the system was recieving.
Then we can pinpoint if there is a problem somewhere with PHP or the server variables..
I don't have [PHP_AUTH_USER] or [PHP_AUTH_PW] on my server variables.
This are the ones I have and they are empty.
[AUTH_PASSWORD] =>
[AUTH_USER] =>
I have read somewhere that PHP as CGI doesn't work with PHP_AUTH_USER, is your installation as a CGI or as an ASAPI Module?
Damn is CGI, is there any work around?
Please Visit the PHP Manual Here.
It says "Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked."
As well there is some additional information in there.
There is a link to the headers information, look here. You would set it from the command prompt via: (at the VERY top)
ini_set("cgi.rfc2616_headers",0);
If you are not the system admin and can not have the system changed from CGI to ASAPI, then you may want to try setting the INI directive, and see if the site admin will check the settings for your specific site to reflect what PHP is requesting.
Please, let me know if any of this helps...
I'm do not have access to the IIS this is an external hosting.
I went to the php.ini and cgi.rfc2616_headers was already set to 0 and that didn't work, then I set it to 1 and that didn't work either.
I guess I'm out of luck, will have to look for an alternative.