"Basic Realm" and Authentication

Anon

Having a little trouble here:

It seems that PHP is not recognizing even a hardcoded username and password, nor is it reporting my "Basic Realm" correctly.

I can upload this same file to a remote server, and it works, so I know it's in my config...

Using IIS 4 with non-CGI version of PHP from php4win.

My basic security settings are configured to send plain passwords; no domain vilidation; no anonymous access.

Once again, the username and password arent recognized, and the "Basic Realm" area shows only the numeric IP of the server, and not the hardcoded value from the oho file.

Here's the code...it's very straightforward..

<?php

// Check $PHP_AUTH_USER for info

if (!isset($PHP_AUTH_USER)) {

	// If empty

	header('WWW-Authenticate: Basic realm="My Private Stuff"');
	header('HTTP/1.0 401 Unauthorized');
	echo 'Authorization Required.';
	exit;

} else if (isset($PHP_AUTH_USER)) {

	if (($PHP_AUTH_USER != "admin") || ($PHP_AUTH_PW != "abc123")) {

		header('WWW-Authenticate: Basic realm="My Private Stuff"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;

	} else {
		echo "
		<P>You're authorized!</p>
		";
	}
}

Anon

The problem is the variable
$PHP_AUTH_USER do not set under IIS 🙁

So you won't have a problem if you use apache+linux, couse apache under win do not understand headers:
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');

Luck

Anon

Unfortunately, I dont have the luxury of using Apache or LINUX. Is there any other way I can control logins via PHP4 + IIS?

I cant accept that there is no way to do uer authentication under PHP4 + IIS.

Does anyone else have any advice in this arena?

Anon

Try this :

//Retrieve Authorization header
$h=getallheaders();
$auth=$h["Authorization"];
//Remove "Basic" keyword
$user_pass=substr($auth,6);
//Decode user and password
list($user,$pass)=explode(":",base64_decode($user_pass));

Not tested with IIS. I hope you'll have access to the getallheaders() function; you should in a non-CGI version.
And I think you should configure the security to "anonymous access", because you want to manage this yourself and not let IIS do it for you.

Note for ZBoris : it's true that the CGI version of PHP (at least under Windows) does not recognize :

header('HTTP/1.0 401 Unauthorized');

but this line works :

header('Status: 401 Unauthorized');

Anon

I assume that the message:

"Call to undefined function: getallheaders()"
means that I dont have access to that function?

I am also assuming that the way to test the code you gave me was to paste it in above the rest of my code?

If so, I assume that I do not access this function after all. I can assure you that I am uing the ISAPI version. I have also left alot of the PHP.INI settings at the default values.

Anon

I'm trying to incorporate Windows NT Challenge/Response authentication for my PHP/mySQL website and do not know how to initiate the process witn PHP. Can you help?

Anon

Hello Donald,
I have solved the problem of Windows not recognizing the http headers (this is the problem, as I understand it).

I switced to a LINUX box running Apache... I tried for almost three months to get this to work, and short of rewriting the Windows OS, there seems to be no way to get this config to provide login/pw capability under Windows.

Anon

hi there,

I am running
Apache/1.3.19 (Unix)
FrontPage/5.0.2.2510
mod_ssl/2.8.3
OpenSSL/0.9.6b

and my php is being used as a cgi script i can only assume, at the top of every page i have to put

#!/usr/local/bin/php

at the top of pages which contain php scripting.

AND I CANNOT GET PHP_AUTH_PW & PHP_AUTH_USER TO WORK AT ALL!

but I have the same setup again, except php is enabled via the httpd.conf where i dont have to put #!/usr/local/bin/php at the top of everypage and...

PHP_AUTH_PW & PHP_AUTH_USER WORKS FINE.

I think the problem might be with the way you invoke php being enabled on the servers.. whether by CGI or where php is enabled on every page without the CGI.

Hope this helps

Rak

titoedp

Hi all,
I want that the authentication window, pop up every time I get in the secure directory, but the browser remember these realm variables, and let me in everytime.
Maybe I should work by client side or apache server to resolve this problem, can you give me a help.
Thank you very much.
Marco.