Workaround for missing Authorization header under CGI/FastCGI Apache:
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header.
Autenticazione HTTP usando PHP
È possibile usare la funzione header() per inviare un messaggio di "Authentication Required" al browser dell'utente, provocando quindi l'apertura di una finestra contenente una richiesta di Nome utente/Password. Una volta che l'utente ha compilato i campi nome utente e password, l'URL contenente lo script PHP verrà richiamato nuovamente usando le variabili predefinite, PHP_AUTH_USER, PHP_AUTH_PW e AUTH_TYPE impostate con nome, password e tipo di autenticazione. Queste variabili predefinite possono essere trovate negli array $_SERVER e $HTTP_SERVER_VARS. Saranno supportati entrambi i metodi di autenticazione, "Basic" e "Digest" (a partire dal PHP 5.1.0). Fare riferimento alla funzione header() per ulteriori informazioni.
Nota: Nota sulla versione di PHP
Le variabili autoglobali, come $_SERVER, esistono a partire da PHP » 4.1.0.
Un frammento di script di esempio che richiede l'autenticazione da parte del browser su una pagina, potrebbe essere il seguente:
Example #1 Esempio di Autenticazione HTTP "Basic"
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="Il mio realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Messaggio da inviare se si preme il tasto Cancel';
exit;
} else {
echo "<p>Ciao {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>Hai inserito {$_SERVER['PHP_AUTH_PW']} come tua password.</p>";
}
?>
Example #2 Esempio di autenticazione HTTP "Digest"
Questo esempio illustra come implementare una autenticazione Digest. Per maggiori dettagli vedere » RFC 2617.
<?php
$realm = 'Restricted area';
//user => password
$users = array('admin' => 'mypass', 'guest' => 'guest');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('Text to send if user hits Cancel button');
}
// analisi della variabile PHP_AUTH_DIGEST
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
!isset($users[$data['username']]))
die('Wrong Credentials!');
// generazione di una risposta valida
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response)
die('Wrong Credentials!');
// Ok, utente/password validi
echo 'Your are logged in as: ' . $digest['username'];
// funzione che analizza l'header http auth
function http_digest_parse($txt)
{
// protezione contro i dati mancanti
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
?>
Nota: Note sulla compatibilitÃ
Fare molta attenzione quando si scrive codice per le intestazioni HTTP. Per ottenere la massima compatibilità con tutti i client, la parola-chiave "Basic" deve essere scritta con una "B" maiuscola, la stringa realm deve essere racchiusa in virgolette doppie (non singole), ed esattamente uno spazio deve precedere il codice 401 nella linea di intestazione HTTP/1.0 401. I parametri di autenticazione devono essere separati da virgole come si vede nell'esempio qui sopra.
Invece di stampare semplicemente PHP_AUTH_USER e PHP_AUTH_PW, probabilmente si vorrà controllare la validità dello username e della password. Probabilmente inviando una chiamata al database, o cercando un utente in un file dbm.
Si faccia attenzione ad alcune versioni di Internet Explorer. Sembra che siano molto schizzinosi riguardo all'ordine delle intestazioni. Inviare l'intestazione WWW-Authenticate prima dell'intestazione HTTP/1.0 401 sembra sistemare le cose per il momento.
A partire da PHP 4.3.0, al fine di prevenire che qualcuno scriva uno script che rivela la password di una pagina che era stata autenticata tramite un tradizionale meccanismo esterno, le variabili PHP_AUTH non verranno impostate se è abilitata l'autenticazione esterna per quella determinata pagina e modalità sicura è abilitato. Ciò nonostante, la variabile REMOTE_USER può essere usata per identificare un utente autenticato esternamente. Quindi, si può usare $_SERVER['REMOTE_USER'].
Nota: Nota sulla Configurazione
PHP usa la presenza di una direttiva AuthType per determinare se viene utilizzata l'autenticazione esterna.
Si fa notare, però, che quanto scritto sopra non impedisce a qualcuno che controlla un URL non autenticato di sottrarre password da URL autenticati presenti sullo stesso server.
Sia Netscape Navigator che Internet Explorer cancellano la cache locale della finestra del browser, per quanto riguarda il realm, al ricevimento di una risposta 401 da parte del server. Questo è effettivamente un meccanismo di "log out" per l'utente, che lo forza a reinserire lo username e la password. Alcune persone usano questo per fare il "time out" dei login, o per rendere disponibili bottoni di "log-out".
Example #3 Esempio di Autenticazione HTTP che impone l'inserimento di nuovo username/password
<?php
function authenticate() {
header('WWW-Authenticate: Basic realm="Prova del Sistema di Autenticazione"');
header('HTTP/1.0 401 Unauthorized');
echo "Per poter accedere a questa risorsa occorre inserire una coppia login e password valide\n";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) ||
($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
authenticate();
} else {
echo "<p>Benvenuto: " . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "<br />";
echo "Vecchio: " . htmlspecialchars($_REQUEST['OldAuth']);
echo "<form action='' method='post'>\n";
echo "<input type='hidden' name='SeenBefore' value='1' />\n";
echo "<input type='hidden' name='OldAuth' value=\"" . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "\" />\n";
echo "<input type='submit' value='Ri autentifica' />\n";
echo "</form></p>\n";
}
?>
Questo comportamento non è richiesto dallo standard di autenticazione HTTP Basic, quindi non si dovrebbe mai fare affidamento su di esso. Test effettuati con Lynx mostrano che Lynx non cancella le credenziali di autenticazione al ricevimento del codice di risposta 401 da parte del server, quindi, premendo indietro e avanti nuovamente, darà nuovamente accesso alla risorsa, ammesso che le rispettive richieste di credenziali non siano cambiate. L'utente può però premere il tasto '_' al fine di cancellare le sue informazioni di autenticazione.
Si noti anche che, prima di PHP 4.3.3, l'Autenticazione HTTP non funzionava usando il server IIS di Microsoft e con la versione CGI di PHP a causa di una limitazione di IIS. Al fine di farla funzionare in PHP 4.3.3+, si deve modificare la configurazione di IIS "Directory Security". Cliccare su "Edit" e selezionare solo "Anonymous Access", tutti gli altri campi devono essere lasciati deselezionati.
Un'altra limitazione è che se si usa il modulo IIS (ISAPI) e PHP 4, non si possono usare le variabili PHP_AUTH_* ma, al contrario, la variabile HTTP_AUTHORIZATION è disponibile. Per esempio, si consideri il seguente codice: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
Nota: Nota su IIS:
Al fine di fare funzionare la Autenticazione HTTP con IIS, la direttiva PHP cgi.rfc2616_headers deve essere impostata al valore 0 (il valore predefinito).
Nota:
Se è abilitato safe mode viene aggiunto lo uid dello script al realm dell'header WWW-Authenticate.
add a note
User Contributed Notes 67 notes
derkontrollfreak+9hy5l at gmail dot com ¶
3 years ago
webmaster at kratia dot com ¶
10 years ago
This is the simplest form I found to do a Basic authorization with retries.
<?php
$valid_passwords = array ("mario" => "carbonell");
$valid_users = array_keys($valid_passwords);
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
if (!$validated) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
die ("Not authorized");
}
// If arrives here, is a valid user.
echo "<p>Welcome $user.</p>";
echo "<p>Congratulation, you are into the system.</p>";
?>
Nicolas Merlet - admin(at)merletn.org ¶
10 years ago
Be careful using http digest authentication (see above, example 34.2) if you have to use the 'setlocale' function *before* validating response with the 'http_digest_parse' function, because there's a conflict with \w in the pattern of 'preg_match_all' function :
In fact, as \w is supposed to be any letter or digit or the underscore character, you must not forgot that this may vary depending on your locale configuration (eg. it accepts accented letters in french)...
Due to this different pattern interpretation by the 'preg_match_all' function, the 'http_digest_parse' function will always return a false result if you have modified your locale (I mean if your locale accepts some extended characters, see http://fr.php.net/manual/en/reference.pcre.pattern.syntax.php for further information).
IMHO, I suggest you not to use setlocale before having your authentication completed...
PS : Here's a non-compatible setlocale declaration...
setlocale ( LC_ALL, 'fr_FR', 'fr', 'FR', 'french', 'fra', 'france', 'French', 'fr_FR.ISO8859-1' ) ;
sergio dot carvalho at gmail dot com ¶
2 years ago
The only effective way I've found to wipe out the PHP_AUTH_DIGEST or PHP_AUTH_USER AND PHP_AUTH_PW credentials is to call the header HTTP/1.1 401 Unauthorized.
function clear_admin_access(){
header('HTTP/1.1 401 Unauthorized');
die('Admin access turned off');
}
Ome Ko ¶
7 years ago
a link to http://logout:logout@<?=$_SERVER['HTTP_HOST'];?>/SECRET/ would force a fresh login for the /SECRET directory if no user logout with password logout exists.
[NOTE BY danbrown AT php DOT net: The following note was added by "Anonymous" on 01-APR-2010 (though we presume it's not an April Fool's Day joke).]
this logout method does not work 100% anymore, because of another bulls**t from M$:
http://support.microsoft.com/kb/834489
SlamJam ¶
10 years ago
I used Louis example (03-Jun-2006) and it works well for me (thanks).
However, I added some lines, to make sure, the user does only get the Authentification-Window a few times:
<?php
$realm = mt_rand( 1, 1000000000)."@YourCompany";
$_SESSION['realm'] = $realm;
// In the beginning, when the realm ist defined:
$_SESSION['CountTrials'] = 1;
?>
And then when it comes to check the authentification (ZEND-Tutorial):
<?php
// Not more than 3 Trials
if (!$auth) {
$_SESSION['CountTrials']++;
if ($_SESSION['CountTrials'] == 4) {
session_destroy() ;
header('Location: noentry.php');
exit ;
} else {
header("WWW-Authenticate: Basic realm=".$_SESSION['realm']);
header("HTTP/1.0 401 Unauthorized");
echo 'Authorization Required.';
exit;
}
} else {
echo '<P>You are authorized!</P>';
}
?>
noentry.php is slightely different from comeagain.php.
marco dot moser at oltrefersina dot it ¶
11 years ago
I suggest to demand user's authentication and management to the web server (by .htaccess, ...):
1. configure a global /logon/ directory with a .htaccess file restricted access
2. use fopen wrapper:
$hh = @fopen("http://{$_SERVER['PHP_AUTH_USER']}:{$_SERVER['PHP_AUTH_PW']}".
@{$_SERVER['SERVER_NAME']}/logon/", "r");
if (!$hh) authenticate(); // usual header WWW-Authenticate ...
fclose($hh);
dan223 at gmail dot com ¶
1 year ago
A simple script for SSL Client Certificate authentication with a basic authentication fall-back. I use this on my site using LDAP server to check username/passwords and client certificate to user mapping.
<?
// Check if and how we are authenticated
if ($_SERVER['SSL_CLIENT_VERIFY'] != "SUCCESS") { // Not using a client certificate
if ((!$_SERVER['PHP_AUTH_USER']) && (!$_SERVER['PHP_AUTH_PW'])) { // Not logged in using basic authentication
authenticate(); // Send basic authentication headers
}
}
if ($_SERVER['SSL_CLIENT_S_DN_CN'] != "chris") { // Check CN name of cert
if (!(($_SERVER['PHP_AUTH_USER'] == "test") && ($_SERVER['PHP_AUTH_PW'] == "123"))) { // Check username and password
authenticate(); // Send basic authentication headers because username and/or password didnot match
}
}
phpinfo();
// Call authentication display
function authenticate() {
Header("WWW-Authenticate: Basic realm=Website");
Header("HTTP/1.0 401 Unauthorized");
error401();
exit;
}
?>
See my website (http://velocitypress.ca/index.php?page=/manuals/) for more details on client certificate with Apache and PHP.
charly at towebs dot com ¶
12 years ago
A simpler approach on the post of:
bernard dot paques at bigfoot dot com
24-Sep-2004 01:42
This is another "patch" to the PHP_AUTH_USER and PHP_AUTH_PW server variables problem running PHP as a CGI.
First of all don't forget this fragment of code in your .htaccess (it's the only thing you need to make it work with mod_rewrite):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
</IfModule>
Then login.php
<?php
$a = base64_decode( substr($_SERVER["REMOTE_USER"],6)) ;
if ( (strlen($a) == 0) || ( strcasecmp($a, ":" ) == 0 ))
{
header( 'WWW-Authenticate: Basic realm="Private"' );
header( 'HTTP/1.0 401 Unauthorized' );
}
else
{
list($name, $password) = explode(':', $a);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
echo 'PHP_AUTH_USER =' . $_SERVER['PHP_AUTH_USER'] . '<br>';
echo 'PHP_AUTH_PW =' . $_SERVER['PHP_AUTH_PW'] . '<br>';
echo 'REMOTE_USER =' . $_SERVER['REMOTE_USER'] . '<br>';
?>
First, we decode the base64 encoded string discarding the first 6 characters of "Basic " and then we do a regular validation.
At the end of the script we print the variables to verify it's working. This should be ommited in the production version.
It's a variation of the script by Bernard Paques.
Thanks to him for that snippet.
php at cscott dot net ¶
12 years ago
Note that Microsoft has released a 'security update' which disables the use of username:password@host in http urls.
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
The methods described above which rely on this will no longer work in Microsoft browsers, sadly.
You can re-enable this functionality as described at
http://weblogs.asp.net/cumpsd/archive/2004/02/07/69366.aspx
but your users will probably be unwilling to do this.
xsanychx at mail dot ru ¶
4 years ago
New auth:
<?php
$login = 'test_login';
$pass = 'test_pass';
if(($_SERVER['PHP_AUTH_PW']!= $pass || $_SERVER['PHP_AUTH_USER'] != $login)|| !$_SERVER['PHP_AUTH_USER'])
{
header('WWW-Authenticate: Basic realm="Test auth"');
header('HTTP/1.0 401 Unauthorized');
echo 'Auth failed';
exit;
}
?>
ceo at l-i-e dot com ¶
6 years ago
To force a logout with Basic Auth, you can change the Realm out from under them to a different Realm.
This forces a new set of credentials for a new "Realm" on your server.
You just need to track the Realm name with the user/pass and change it around to something new/random as they log in and out.
I believe that this is the only 100% guaranteed way to get a logout in HTTP Basic Auth, and if it were part of the docs a whole lot of BAD user-contributed comments here could be deleted.
steuber at aego dot de ¶
13 years ago
Quite a good solution for the logout problem:
Just tell browser that it is successfully logged in!
This works as follows:
1. User clicks logout button
2. Script sends 401 Header
3. User does NOT enter a password
4. If no password is entered, script sends 200 Header
So the browser remembers no password as a valid password.
Example:
<?php
if (
(!isset($_SERVER['PHP_AUTH_USER']))
||(
($_GET["login"]=="login")
&& !(
($_SERVER['PHP_AUTH_USER']=="validuser")
&& ($_SERVER['PHP_AUTH_PW']=="validpass")
)
)
||(
($_GET["logout"]=="logout")
&& !($_SERVER['PHP_AUTH_PW']=="")
)
) {
Header("WWW-Authenticate: Basic realm=\"Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "Not logged out...<br>\n";
echo "<a href=\"index.php?login=login\">Login</a>";
exit;
} else if ($_SERVER['PHP_AUTH_PW']=="") {
echo "Logged out...<br>\n";
echo "<a href=\"index.php?login=login\">Login</a>";
exit;
}
?>
Paul ¶
13 years ago
Here is a extremely easy way to successfully logout.
<?php
if ( $realm == '' )
$realm = mt_rand( 1, 1000000000 );
header( 'WWW-Authenticate: Basic realm='.$realm );
?>
To log the user out simply change the value of $realm
avp200681 at gmail dot com ¶
4 years ago
I noted that $_SERVER['AUTH_TYPE'] is only available for a page that was authenticated through a traditional external mechanism (like Apache).
djreficul at yahoo dot com ¶
11 years ago
Well, I think it's easy to make authentification works correctly. I use a session var to force authentication everytime a user visit the logging area.
<?php
if (!isset ($_SESSION['firstauthenticate'])) {
session_start();
}
function authenticate() {
header('WWW-Authenticate: Basic realm="Sistema autentificación UnoAutoSur"');
header('HTTP/1_0 401 Unauthorized');
// header("Status: 401 Access Denied");
echo "Unauthorized\n";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || strcmp ($_SERVER['PHP_AUTH_USER'],$user)!=0 ||
!isset ($_SERVER['PHP_AUTH_PW']) || strcmp($_SERVER['PHP_AUTH_PW'],$pass)!=0 || !isset ($_SESSION['firstauthenticate']) || !$_SESSION['firstauthenticate']) {
$_SESSION['firstauthenticate']=true;
authenticate();
} else {
//I destroy the session var now
session_unset();
//Your code below
}
?>
Anonymous ¶
7 years ago
The regex in http_digest_parse from Example #2 does not work for me (PHP 5.2.6), because back references are not allowed in a character class. This worked for me:
<?php
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
preg_match_all('@(\w+)=(?:(?:\'([^\']+)\'|"([^"]+)")|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[2] ? $m[2] : ($m[3] ? $m[3] : $m[4]);
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
?>
john_2232 at gmail dot com ¶
1 year ago
Here is my attempt to create a digest authentication class that will log the user in and out without using a cookie,session,db,or file. At the core is this simple code to parse the digest string into variables works for several browsers.
<?php
// explode the digest with multibrowser support by Tony Wyatt 21jun07
public function explodethedigest($instring) {
$quote = '"';
$equal = '=';
$comma = ',';
$space = ' ';
$a = explode( $comma, $instring);
$ax = explode($space, $a[0]);
$b = explode( $equal, $ax[1], 2);
$c = explode( $equal, $a[1], 2);
$d = explode( $equal, $a[2], 2);
$e = explode( $equal, $a[3], 2);
$f = explode( $equal, $a[4], 2);
$g = explode( $equal, $a[5], 2);
$h = explode( $equal, $a[6], 2);
$i = explode( $equal, $a[7], 2);
$j = explode( $equal, $a[8], 2);
$k = explode( $equal, $a[9], 2);
$l = explode( $equal, $a[10], 2);
$parts = array(trim($b[0])=>trim($b[1], '"'), trim($c[0])=>trim($c[1], '"'), trim($d[0])=>trim($d[1], '"'), trim($e[0])=>trim($e[1], '"'), trim($f[0])=>trim($f[1], '"'), trim($g[0])=>trim($g[1], '"'), trim($h[0])=>trim($h[1], '"'), trim($i[0])=>trim($i[1], '"'), trim($j[0])=>trim($j[1], '"'), trim($k[0])=>trim($k[1], '"'), trim($l[0])=>trim($l[1], '"'));
return $parts;
}
?>
Give it a try at http://www.creativetheory.ca/ /tests/ta1.php Log in with user test password pass or user guest password guest. Go to page two for links to the code. Comments, ideas, suggestions, or critique welcome.
Lars Stecken ¶
9 years ago
To anybody who tried the digest example above and didn't get it to work.
For me the problem seemed to be the deprecated use of '\' (backslash) in the regex instead of the '$' (Dollar) to indicate a backreference. Also the results have to be trimmed off the remaining double and single quotes.
Here's the working example:
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
preg_match_all('@(\w+)=(?:([\'"])([^$2]+)$2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? trim($m[3],"\",'") : trim($m[4],"\",'");
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
Probably there's a more sophisticated way to trim the quotes within the regex, but I couldn't be bothered :-)
Greets, Lars
emmanuel dot keller at net2000 dot ch ¶
14 years ago
Some servers won't support the HTTP1.0 specification and will give an error 500 (for instance). This happened with a server where I uploaded an authentication script.
If it happens, you can try the HTTP1.1 header syntax :
<?php
header("WWW-Authenticate: Basic realm=\"My Realm\"");
header('status: 401 Unauthorized');
?>
sjeffrey at inquesis dot com ¶
15 years ago
To get it to work with IIS try using this code before setting your "$auth = 0" and the "if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW))"
<?php
//////////////////////////////////////////
if ($PHP_AUTH_USER == "" && $PHP_AUTH_PW == "" && ereg("^Basic ", $HTTP_AUTHORIZATION))
{
list($PHP_AUTH_USER, $PHP_AUTH_PW) =
explode(":", base64_decode(substr($HTTP_AUTHORIZATION, 6)));
}
//////////////////////////////////////////
?>
It worked for me on IIS 5 and PHP 4 in ISAPI
siberion at hotmail dot com ¶
11 years ago
I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity.
Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution:
Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:
http://www.example.com/some_dir/login.php/auth/8f631b92/
By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.
Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.
Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.
Hope this helps somebody.
roychri at php dot net ¶
10 years ago
For PHP with CGI, make sure you put the rewrite rule above any other rewrite rule you might have.
In my case, I put this at the top of the .htaccess (below RewriteEngine On):
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
My symptom was that the REMOTE_USER (or REDIRECT_REMOTE_USER in my case) was not being set at all.
The cause: I had some other RewriteRule that was kickin in and was set as LAST rule.
I hope this helps.
johng121 at gmail dot com ¶
2 years ago
I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity.
Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution:
Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:
http://calgaryabwedding.photography/some_dir/login.php/auth/8f631b92/
By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.
Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.
Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.
Hope this helps somebody.
rob at theblip dot com ¶
13 years ago
Regarding HTTP authentication in IIS with the php cgi 4.3.4, there's one more step. I searched mightily and didn't find this information anywhere else, so here goes. When using HTTP auth with the php CGI, you need to do the following things:
1. In your php.ini file, set "cgi.rfc2616_headers = 0"
2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the "Anonymous access" checkbox and uncheck any other checkboxes (i.e. uncheck "Basic authentication," "Integrated Windows authentication," and "Digest" if it's enabled.) Click OK.
3. In "Custom Errors", select the range of "401;1" through "401;5" and click the "Set to Default" button.
It's this last step that is crucial, yet not documented anywhere. If you don't, instead of the headers asking for credentials, IIS will return its own fancy but useless 'you are not authenticated' page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER['PHP_AUTH_*'] elements.
Ollie L ¶
6 years ago
I tried example 7, and at first I couldn't get it to work. It took me a while to spot that somewhere along the line, probably by the server, a seemingly random number was being added to the realm - so the valid_result variable wasn't calculated using the correct realm.
To get around this, or any similar problems, make the following changes to the example:
Around line 43 (44 if after next step ;) ):
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1, 'realm'=>1);
Before line 24:
$realm = $data['realm'];
These two steps get the real realm used for the authentication request, and substitute it into the "valid_response" query.
Hope this helps :)
jake22 at gmail dot com ¶
1 year ago
I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity.
Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution:
Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:
http://velocitypress.ca/some_dir/login.php/auth/8f631b92/
By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.
Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.
Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.
gbelyh at gmail dot com ¶
9 years ago
Back to the autherisation in CGI mode. this is the full working example:
# Create the .htaccess file with following contents:
# also you can use the condition (search at this page)
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
# In the beginning the script checking the authorization place the code:
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ;
$userpass = explode(":", $userpass);
if ( count($userpass) == 2 ){
#this part work not for all.
#print_r($userpass);die; #<- this can help find out right username and password
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
Whatabrain ¶
10 years ago
Back to the problem of authenticating in CGI mode... mcbethh suggested using this to set a local variable in php:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
It didn't work. I couldn't see the variable. My solution is pretty round-about, but it works:
RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{QUERY_STRING} =""
RewriteRule ^page.php$ page.php?login=%{HTTP:Authorization}$1
This causes the Auth string to be added to the URL if there are no parameters and it's a GET request. This prevents POSTs and parameter lists from being corrupted.
Then, in the PHP script, I store the Auth string as a session cookie.
So the only way to log in to my script is to go to the url with no parameters.
kazakevichilya at gmail dot com ¶
5 years ago
In case of CGI/FastCGI you would hot be able to access PHP_AUTH* info because CGI protocol does not declare such variables (that is why their names start from PHP) and server would not pass them to the interpreter. In CGI server should authenticate user itself and pass REMOTE_USER to CGI script after it.
So you need to "fetch" request headers and pass them to your script somehow.
In apache you can do it via environment variables if mod_env is installed.
Following construction in .htaccess copies request header "Authorization" to the env variable PHP_AUTH_DIGEST_RAW
SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST_RAW=$1
You can now access it via $_ENV.
Do not forget to strip auth type ("Digest" in my case) from your env variable because PHP_AUTH_DIGEST does not have it.
If mod_env is not installed you probably have mod_rewrite (everyone has it because of "human readable URLs").
You can fetch header and pass it as GET parameter using rewrite rule:
RewriteRule ^.*$ site.php?PHP_AUTH_DIGEST_RAW=%{HTTP:Authorization} [NC,L]
Here HTTP request header Authorization would be acessible as PHP_AUTH_DIGEST_RAW via $_GET.
---
If you use ZF you probably use Zend_Auth_Adapter_Http to auth user.
It takes Authorization info using "Zend_Controller_Request::getHeader"
This method uses apache_request_header which is likely not to be accessible in old CGI/FastCGI installations or _$_SERVER['HTTP_<HeaderName>] , so you need to put your authentication data, obtained via _GET or ENV to
_$_SERVER['HTTP_AUTHORIZATION'].
It will make ZF work transparently with you solution and I believe any other framework should work also
admin at isprohosting dot com ¶
10 years ago
There are .htaccess which actually works for us (cPanel + phpsuexec) unless others failed. Perhaps it may help someone.
# PHP (CGI mode) HTTP Authorization with ModRewrite:
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
Then you need small piece of php code to parse this line and then everything will work like with mod_php:
if (isset($_SERVER['HTTP_AUTHORIZATION']))
{
$ha = base64_decode( substr($_SERVER['HTTP_AUTHORIZATION'],6) );
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', $ha);
unset $ha;
}
Enjoy!
kembl at example dot com ¶
11 years ago
# PHP (CGI mode) HTTP Authorization with ModRewrite:
# most right example with header check for non empty:
RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}, \
E=PHP_AUTH_USER:%{HTTP:Authorization},L]
sezer yalcin ¶
11 years ago
none of those 'logout' methods would work well.
Even tricky ones like using cookie to reset cache.
Do not waste your time on this.
Browsers want to keep username and password to help user anyway. Try closing the window, or telling user to restart browser.
bleuciell at aol dot com ¶
10 years ago
For admin , i repair a fault , all is good now
Sorry for my english
It's a piece of code , to give a piece of reflexion about simple auth , we can also cryp login and pass in db , time is here for non-replay , the code isn't finish , but it work , only for reflexion about auth mechanism
<?php
function ky( $txt,$crypt) { $key = md5($crypt); $cpt = 0; $var = "";
for ( $Ctr = 0; $Ctr < strlen($txt); $Ctr++) { if ($cpt == strlen($crypt)) $cpt = 0;
$var.= substr($txt,$Ctr,1) ^ substr($crypt,$cpt,1); $cpt++; } return $var; }
$key = "";$list = 'abcdefghijklmnopqrstuvwxyz0123456789';
for($i = 0; $i< 200; $i++) { $key .= $list{mt_rand() % strlen($list)}; }
function cryp($txt,$key){ srand((double)microtime()*735412); $crypt = crypt(rand(0,3895234));$cpt = 0;$var= "";
for ( $Ctr=0; $Ctr < strlen($txt); $Ctr++ ) { if ($cpt == strlen($crypt))$cpt = 0;
$var.= substr($crypt,$cpt,1).( substr($txt,$Ctr,1) ^ substr($crypt,$cpt,1) ); $cpt++; } return base64_encode(ky($var,$key) ); }
function dcryp($txt,$key){ $txt=ky(base64_decode($txt),$key);$var= "";
for ( $Ctr = 0; $Ctr < strlen($txt); $Ctr++ ) { $md5 = substr($txt,$Ctr,1);$Ctr++; $var.= (substr($txt,$Ctr,1) ^ $md5); }return $var;}
$time= time(); $user = cryp('bubu',$key); $pwd = cryp('bubu-'.$time.'',$key);
function pwd($j,$key){ $x = dcryp($j,$key); $x = explode('-',$x); return $x[0];}
function pwd2($j,$key){ $x = dcryp($j,$key); $x = explode('-',$x); return $x[1];}
function auth(){$realm="Authentification PHPindex";
Header("WWW-Authenticate: Basic realm='".$realm."'");Header("HTTP/1.0 401 Unauthorized");
echo "Vous ne pouvez accéder à cette page"; }
if( !isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['PHP_AUTH_PW']) ) {auth();
} else {
if( $_SERVER['PHP_AUTH_USER'] == dcryp($user,$key) && $_SERVER['PHP_AUTH_PW'] == pwd($pwd,$key) && $time == pwd2($pwd,$key)) {
echo '';
} else{ auth();}}
?>
idbobby at rambler dot ru ¶
6 years ago
First of all, sorry for my English.
One more authorization script with logout solution.
In script given by meint_at_meint_dot_net (http://www.php.net/manual/en/features.http-auth.php#93859) rewrite_module is used. If there are any problems with that module and possibilities of administration of the web-server are restricted (including restrictions for use of .htaccess) then you can use this solution.
index.php
---------
<?php
$auth_realm = 'My realm';
require_once 'auth.php';
echo "You've logged in as {$_SESSION['username']}<br>";
echo '<p><a href="?action=logOut">LogOut</a></p>'
?>
auth.php
--------
<?php
$_user_ = 'test';
$_password_ = 'test';
session_start();
$url_action = (empty($_REQUEST['action'])) ? 'logIn' : $_REQUEST['action'];
$auth_realm = (isset($auth_realm)) ? $auth_realm : '';
if (isset($url_action)) {
if (is_callable($url_action)) {
call_user_func($url_action);
} else {
echo 'Function does not exist, request terminated';
};
};
function logIn() {
global $auth_realm;
if (!isset($_SESSION['username'])) {
if (!isset($_SESSION['login'])) {
$_SESSION['login'] = TRUE;
header('WWW-Authenticate: Basic realm="'.$auth_realm.'"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must enter a valid login and password';
echo '<p><a href="?action=logOut">Try again</a></p>';
exit;
} else {
$user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';
$password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '';
$result = authenticate($user, $password);
if ($result == 0) {
$_SESSION['username'] = $user;
} else {
session_unset($_SESSION['login']);
errMes($result);
echo '<p><a href="">Try again</a></p>';
exit;
};
};
};
}
function authenticate($user, $password) {
global $_user_;
global $_password_;
if (($user == $_user_)&&($password == $_password_)) { return 0; }
else { return 1; };
}
function errMes($errno) {
switch ($errno) {
case 0:
break;
case 1:
echo 'The username or password you entered is incorrect';
break;
default:
echo 'Unknown error';
};
}
function logOut() {
session_destroy();
if (isset($_SESSION['username'])) {
session_unset($_SESSION['username']);
echo "You've successfully logged out<br>";
echo '<p><a href="?action=logIn">LogIn</a></p>';
} else {
header("Location: ?action=logIn", TRUE, 301);
};
if (isset($_SESSION['login'])) { session_unset($_SESSION['login']); };
exit;
}
?>
Yuriy ¶
8 years ago
Good day.
Sorry for my english.
This example shows programming "LOGIN", "LOGOUT" and "RE-LOGIN".
This script must use in the protected pages.
For work this script the browser address string must be following:
"http://localhost/admin/?login" - for Login,
"http://localhost/admin/?logout" - for Logout,
"http://localhost/admin/?logout&login" - for Re-Login.
<?php
session_start();
$authorized = false;
# LOGOUT
if (isset($_GET['logout']) && !isset($_GET["login"]) && isset($_SESSION['auth']))
{
$_SESSION = array();
unset($_COOKIE[session_name()]);
session_destroy();
echo "logging out...";
}
# checkup login and password
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
$user = 'test';
$pass = 'test';
if (($user == $_SERVER['PHP_AUTH_USER']) && ($pass == ($_SERVER['PHP_AUTH_PW'])) && isset($_SESSION['auth']))
{
$authorized = true;
}
}
# login
if (isset($_GET["login"]) && !$authorized ||
# relogin
isset($_GET["login"]) && isset($_GET["logout"]) && !isset($_SESSION['reauth']))
{
header('WWW-Authenticate: Basic Realm="Login please"');
header('HTTP/1.0 401 Unauthorized');
$_SESSION['auth'] = true;
$_SESSION['reauth'] = true;
echo "Login now or forever hold your clicks...";
exit;
}
$_SESSION['reauth'] = null;
?>
<h1>you have <? echo ($authorized) ? (isset($_GET["login"]) && isset($_GET["logout"]) ? 're' : '') : 'not '; ?>logged!</h1>
Robb_Bean at gmx dot net ¶
3 years ago
In the german example #2 (digest), the <?php $realm = "Geschützter Bereich"; ?>. As far as I have tested the umlaut ü is problematic, resulting in an password enter infinity loop. In my case it was written in UTF-8. So I suggest using only plain ASCII characters for the realm.
vog at notjusthosting dot com ¶
5 years ago
You shouldn't use the "last" ("L") directive in the RewriteRule! This will prevent all further rewrite rules to be skipped whenever a Basic or Digest Auth is given, which is almost certainly not what you want.
So the following lines are sufficient for the .htaccess (or httpd.conf) file:
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
h3ndrik ¶
5 years ago
On my configuration with php-cgi - after setting the RewriteRule - the correct variable would be: $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
So the workaround for PhpCGI is:
Set in your .htaccess:
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
Php workaround:
<?php
//set http auth headers for apache+php-cgi work around
if (isset($_SERVER['HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches)) {
list($name, $password) = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
//set http auth headers for apache+php-cgi work around if variable gets renamed by apache
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {
list($name, $password) = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
?>
jason ¶
12 years ago
on the php+mysql auth code by tigran at freenet dot am
There are some security weaknesses.
First
$user
and
$pass
are both insecure, they could leave this code open to SQL injection, you should always remove invalid characters in both, or at least encode them.
Actually storing passwords as MD5 hashes leaves you less work to secure.
Second security risks
The same mysql user has rights to both update and select, and possibly even insert and on your auth database no less.
Again the SQL inject attack may occur with this., and the end user could then change the users username, password, or anything else in relation to this.
Third items is more of a performance issue,
Do you really need to update the database, as updates are slower then selects, and if you do them every time they access the page, you are costing some speed penalty.
One option, if you want to use sql (I think mysql has it) is memory only databases, and create a table within memory, the stores a unique session identifier for each user, that is logged in, or alternatively if it's a single front end system, you could use db files.
snagnever at gmail dot com ¶
12 years ago
It forces a auth each time the page is accessed:
(maybe can save someone)
<?
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
header("Pragma: no-cache");
session_cache_limiter("public, no-store");
session_start();
function http_auth()
{
$_SESSION['AUTH'] = 1;
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="sn4g auth system"');
// The actions to be done when the user clicks on 'cancel'
exit();
}
if( !isset($_SERVER['PHP_AUTH_USER']) or @$_SESSION['AUTH'] != 1 )
{
http_auth();
exit();
}
// Actions do be done when the user has logged
// rest, must clean the session array
$_SESSION = array();
session_destroy();
?>
s dot i dot g at gmx dot com ¶
7 years ago
<?php
// try to mimic cpanel logout style
// only diff is usr & pwd field is cleared when re-login
// tested with ff2 & ie8
session_start();
$username = "test";
$password = "test";
if(isset($_GET['logout']))
{
unset($_SESSION["login"]);
echo "You have logout ... ";
echo "[<a href='" . $_SERVER['PHP_SELF'] . "'>Login</a>]";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($_SESSION["login"]))
{
header("WWW-Authenticate: Basic realm=\"Test\"");
header("HTTP/1.0 401 Unauthorized");
$_SESSION["login"] = true;
echo "You are unauthorized ... ";
echo "[<a href='" . $_SERVER['PHP_SELF'] . "'>Login</a>]";
exit;
}
else
{
if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password)
{
echo "You have logged in ... ";
echo "[<a href='" . $_SERVER['PHP_SELF'] . "?logout'>Logout</a>]";
}
else
{
unset($_SESSION["login"]);
header("Location: " . $_SERVER['PHP_SELF']);
}
}
// content here
?>
byoung at bigbluehat dot com ¶
8 years ago
The sample from danja at k0a1a dot net is great for getting started. However, it has some typos. Below is a slightly revised version that should work "out of the box":
<?php
session_start();
$authorized = false;
if(isset($_GET['logout']) && ($_SESSION['auth'])) {
$_SESSION['auth'] = null;
session_destroy();
echo "logging out...";
}
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$user = 'test';
$pass = 'test';
if (($user == $_SERVER['PHP_AUTH_USER']) && ($pass == ($_SERVER['PHP_AUTH_PW'])) && (!empty($_SESSION['auth']))) {
$authorized = true;
}
}
if (isset($_GET["login"]) && (! $authorized)) {
header('WWW-Authenticate: Basic Realm="Login please"');
header('HTTP/1.0 401 Unauthorized');
$_SESSION['auth'] = true;
print('Login now or forever hold your clicks...');
exit;
}
?>
<h1>you have <? echo ($authorized) ? '' : 'not'; ?> logged!</h1>
web at kwi dot dk ¶
11 years ago
While Digest authentication is still far superior to Basic authentication, there are a number of security issues that one must keep in mind.
In this respect, the Digest example given above is somewhat flawed, because the nonce never times out or otherwise become invalid. It thus becomes a password-equivalent (although to that specific URL only) and can be used by an eavesdropper to fetch the page at any time in the future, thus allowing the attacker to always access the latest version of the page, or (much worse) repeatedly invoke a CGI script -- for instance, if the user requests the URL "/filemanager?delete=somefile", the attacker can repeat this deletion at any point in the future, possibly after the file has been recreated.
And while it might not be possible to change GET data without reauthentication, cookies and POST data *can* be changed.
To protect against the first problem, the nonce can be made to include a timestamp, and a check added to ensure that nonces older than e.g. 30 minutes result in a new authentication request.
To solve the second problem, a one-time only nonce needs to be generated -- that is, all further requests using a particular nonce must be refused.
One way to do this: When the user requests an action such as "deletefile", store a randomly generated nonce in a session variable, issue a 401 authentication challenge with that nonce, and then check against the stored value when receiving the authentication (and clear the session variable).
This way, although a possible eavesdropper receives the nonce and thus gains the ability to perform the action, he can only perform it once -- and the user was going to perform it anyway. (Only the user or the attacker, but not both, gets to perform the action, so it's safe.)
Of course, at some point, the security can only be improved by switching to HTTPS / SSL / TLS (this is for instance the only way to defend against man-in-the-middle attacks). You decide the level of security.
Louis ¶
11 years ago
I couldn't get authentication to work properly with any of the examples. Finally, I started from ZEND's tutorial example at:
http://www.zend.com/zend/tut/authentication.php?article=authentication (validate using .htpasswd) and tried to deal with the additional cases. My general conclusion is that changing the realm is the only reliable way to cause the browser to ask again, and I like to thank the person who put that example in the manual, as it got me on the right path. No matter what, the browser refuses to discard the values that it already has in mind otherwise. The problem with changing the realm, of course, is that you don't want to do it within a given session, else it causes a new request for a password. So, here goes, hopefully the spacing isn't too messed up by the cut'n'paste.
I spent the better part of a day getting this to work right. I had a very hard time thinking through what the browser does when it encounters an authentication request: seems to me that it tries to get the password, then reloads the page... so the HTML doesn't get run. At least, this was the case with IE, I haven't tested it with anything else.
<?php
session_start() ;
if (!isset($_SESSION['realm'])) {
$_SESSION['realm'] = mt_rand( 1, 1000000000 ).
" SECOND level: Enter your !!!COMPANY!!! password.";
header( "WWW-Authenticate: Basic realm=".$_SESSION['realm'] );
// Below here runs HTML-wise only if there isn't a $_SESSION,
// and the browser *can't* set $PHP_AUTH_USER... normally
// the browser, having gotten the auth info, runs the page
// again without getting here.
// What I'm basically getting to is that the way to get
// here is to escape past the login screen. I tried
// putting a session_destroy() here originally, but the
// problem is that the PHP runs regardless, so the
// REFRESH seems like the best way to deal with it.
echo "<meta http-equiv=\"REFRESH\"
content=\"0;url=index.php\">" ;
exit;
}
if ($_POST['logout'] == "logout") {
session_destroy() ;
header('Location: comeagain.php');
exit ;
}
// "standard" authentication code here, from the ZEND tutorial above.
comeagain.php is as follows:
<?
session_start();
unset($_SESSION['realm']);
session_destroy();
echo "<html><head><title>Logged Out</title><h1>Logout Page</h1><body>" ;
echo "You have successfully logged out of TOGEN";
echo " at ".date("h:m:s")." on ".date("d F Y") ;
echo "<p><a href=\"index.php\">Login Again</a>" ;
echo "</body></html>" ;
?>
The idea is to be able to trash the session (and thus reset the realm) without prompting the browser to ask again... because it has been redirected to logout.php.
With this combination, I get things to work. Just make sure not to have apache run htpasswd authentication at the same time, then things get really weird :-).
henrik at laurells dot net ¶
11 years ago
Above top example for digest mode dosn't work if you have safemode on. You need to add a dash and UID to the compare string to make it work. Something like this;;
$A1 = md5($data['username'].':'.
$realm.'-'.getmyuid().':'.
$users[$data['username']]);
ZyX ¶
11 years ago
Simple PHP Script to login on a Basic Authentication page.
<?php
/* Access Configuration */
define ('x401_host', 'www.example.com');
define ('x401_port', 80);
define ('x401_user', 'your_username');
define ('x401_pass', 'your_password');
/* Function */
function get401Page($file) {
$out = "GET $file HTTP/1.1\r\n";
$out .= "Host: ".x401_host."t\r\n";
$out .= "Connection: Close\r\n";
$out .= "Authorization: Basic ".base64_encode(x401_user.":".x401_pass)."\r\n";
$out .= "\r\n";
if (!$conex = @fsockopen(x401_host, x401_port, $errno, $errstr, 10))
return 0;
fwrite($conex, $out);
$data = '';
while (!feof($conex)) {
$data .= fgets($conex, 512);
}
fclose($conex);
return $data;
}
/* Code */
if ($source = get401Page('/absolute/path/file.php?get=value')) {
echo $source;
} else {
echo "I can't connect!";
}
?>
somebody ¶
11 years ago
In the previous example it will not work in IE. In order to have a single script work on both IE and FireFox (and handle the cache problem), you need to use the $_SERVER['HTTP_USER_AGENT'] variable to know which logout version to present to the user.
An full example can be seen in the url (could not post it here due to size restrictions):
http://www.free-php.org/index.php?
cat_select=HTTP&show=HTTP_Authentication
(URL split also due to size restrictions)
me at lalit dot org ¶
12 years ago
A very simple HTTP Authentication script that solves the logout problem. I wasted a lot of time figuring out a way to logout. This one works perfectly fine.
<?php
function auth_user() {
$realm = mt_rand( 1, 1000000000 );
header('WWW-Authenticate: Basic realm="Realm ID='.$realm.']"');
header('HTTP/1.0 401 Unauthorized');
die("Unauthorized access forbidden!");
}
if (!isset($_SERVER['PHP_AUTH_USER'])) {
auth_user();
} else if (!isset($_SERVER['PHP_AUTH_USER'])) {
auth_user();
} else if ($_SERVER['PHP_AUTH_USER'] != $auser || $_SERVER['PHP_AUTH_PW'] != $apass) {
auth_user();
} else if (isset($_GET['action']) && $_GET['action'] == "logout") {
auth_user();
}
// Normal Page Code Here
?>
Hope this helps,
Lalit
aplanefan at mail dot com ¶
12 years ago
I found a way to log out easily
<?php
ob_start();
if (!isset($_SERVER['PHP_AUTH_USER']) || $_COOKIE['isin'] != "1") {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
setcookie ("isin", "1");
die('<a href="orderhan.php">Login</a>');
}
else {
if($_SERVER['PHP_AUTH_USER'] == "USER" && $_SERVER['PHP_AUTH_PW']== "PASSWORD") {
echo "you got in";
echo "<a href='".$_SEVER['PHP_SELF']."?action=logout'>logout</a>";
}
else {
setcookie ("isin", "", time() - 3600);
$url=$_SERVER['PHP_SELF'];
header("location: $url");
}
if($_GET['action'] == "logout") {
setcookie ("isin", "", time() - 3600);
$url=$_SERVER['PHP_SELF'];
header("location: $url");
}
}
ob_end_flush();
?>
chris at schaake dot nu ¶
13 years ago
A simple script for SSL Client Certificate authentication with a basic authentication fall-back. I use this on my site using LDAP server to check username/passwords and client certificate to user mapping.
<?
// Check if and how we are authenticated
if ($_SERVER['SSL_CLIENT_VERIFY'] != "SUCCESS") { // Not using a client certificate
if ((!$_SERVER['PHP_AUTH_USER']) && (!$_SERVER['PHP_AUTH_PW'])) { // Not logged in using basic authentication
authenticate(); // Send basic authentication headers
}
}
if ($_SERVER['SSL_CLIENT_S_DN_CN'] != "chris") { // Check CN name of cert
if (!(($_SERVER['PHP_AUTH_USER'] == "test") && ($_SERVER['PHP_AUTH_PW'] == "123"))) { // Check username and password
authenticate(); // Send basic authentication headers because username and/or password didnot match
}
}
phpinfo();
// Call authentication display
function authenticate() {
Header("WWW-Authenticate: Basic realm=Website");
Header("HTTP/1.0 401 Unauthorized");
error401();
exit;
}
?>
See my website (http://www.schaake.nu/index.php?page=/manuals/sslmanual.xml) for more details on client certificate with Apache and PHP.
najprogramato at post dot sk ¶
13 years ago
Don't use apache authentification in plain text. Is more better to use own script to generete new ID which is relevant to password. Apache auth data are sent to every page, so the posible mistake are known.
ken_php_net at wolfpackinteractive dot com ¶
13 years ago
Say you have password and groups files in standard Apache format (htpasswd etc.), but you want to apply authorization based on something other than filename, ie something you can't catch in .htaccess. You want to emulate the server behavior in PHP -- the equivalent of:
AuthType Basic
AuthName "Members"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.groups
require group Members
Here's what I came up with:
<?PHP
$AuthUserFile = file("/path/to/.htpasswd");
$AuthGroupFile = file("/path/to/.groups");
$group = "Members";
$realm = "Members";
function authenticate(){
header("WWW-Authenticate: Basic realm=\"$realm\"");
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid user name and password to access the requested resource.";
exit;
}
for(; 1; authenticate()){
if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER']))
continue;
$user = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
if(!preg_grep("/$group: $user$/", $AuthGroupFile)) # (format assumptions)
continue;
if(!($authUserLine = array_shift(preg_grep("/$user:.*$/", $AuthUserFile))))
continue;
preg_match("/$user:((..).*)$/", $authUserLine, $matches);
$authPW = $matches[1];
$salt = $matches[2];
$submittedPW = crypt($HTTP_SERVER_VARS['PHP_AUTH_PW'], $salt);
if($submittedPW != $authPW)
continue;
break;
}
echo "You got in!"
?>
Mario ¶
4 years ago
if you are using apache with mod fcgid you have to add
<IfModule fcgid_module>
FcgidPassHeader Authorization
</IfModule>
to make it work
oaev at mail dot ru ¶
11 years ago
Once more time about PHP through CGI.
Sometimes by some reasons (settings) web-server does not allow to set any environment variables through .htaccess file, so method offered by bernard dot paques at bigfoot dot com will not work.
Another way to solve this is to set some GET variable:
file .htaccess (it's just my example, maybe you can find better way):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ([^\s]+).php$ $1.php?BAD_HOSTING=%{HTTP:Authorization}
RewriteCond %{QUERY_STRING} ^(.+)$
RewriteRule ([^\s]+).php $1.php?%1&BAD_HOSTING=%{HTTP:Authorization}
</IfModule>
a part of php file:
<?php
if((empty($_SERVER['PHP_AUTH_USER']) or empty($_SERVER['PHP_AUTH_PW'])) and isset($_REQUEST['BAD_HOSTING']) and preg_match('/Basic\s+(.*)$/i', $_REQUEST['BAD_HOSTING'], $matc))
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode($matc[1]));
?>
luismontreal at gmail dot com ¶
5 years ago
Using sessions like this makes the enter auth values at each request
<?php
if($_SESSION['http_logged'] != 1) {
$_SERVER['PHP_AUTH_USER'] = '';
$_SERVER['PHP_AUTH_PW'] = '';
}
if ($_SERVER['PHP_AUTH_USER'] != $your_username || $_SERVER['PHP_AUTH_PW'] != $your_password ) {
$_SESSION['http_logged'] = 1;
header('WWW-Authenticate: Basic realm="realm"');
header('HTTP/1.0 401 Unauthorized');
exit;
} else {
$_SESSION['http_logged'] = 0;
}
?>
cyberscribe at php dot net ¶
11 years ago
To implement the Digest authentication mentioned above in PHP < 5.1, try prepending the following:
<?php
$headers = apache_request_headers();
$_SERVER['PHP_AUTH_DIGEST'] = $headers['Authorization'];
?>
or, if you don't like the idea of modifying the global $_SERVER variable directly, just use the first line and then substitute $_SERVER['PHP_AUTH_DIGEST'] in the sample code with $headers['Authorization']. Works great.
sl at netcentrex dot net ¶
12 years ago
This forces an instant re-authentication:
// Force a logout.
function imt_logout()
{
global $_SESSION;
global $HTTP_SERVER_VARS;
global $PHP_SELF;
// We mark the session as requiring a re-auth
$_SESSION['reauth-in-progress'] = 1;
// This forces the authentication cache clearing
header("WWW-Authenticate: Basic realm=\"My Realm\"");
header("HTTP/1.0 401 Unauthorized");
// In case of the user clicks "cancel" in the dialog box
print '<a href="http://'.$HTTP_SERVER_VARS['HTTP_HOST'].$PHP_SELF.'">click me</a>';
exit();
}
// Check login
function imt_login()
{
global $_SERVER;
global $_SESSION;
global $REGISTERED_USERS;
// the valid_user checks the user/password (very primitive test in this example)
if (!valid_user($_SERVER['PHP_AUTH_USER'], $REGISTERED_USERS))
{
session_destroy();
header("WWW-Authenticate: Basic realm=\"My Realm\"");
header("HTTP/1.0 401 Unauthorized");
exit();
}
// OK, the user is authenticated
$_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
}
Assuming that your page.php?action=logout forces a reauth on the same page, start your page with:
session_start()
if ($_REQUEST["action"] == "logout")
{
if (isset($_SESSION['reauth-in-progress']))
{
session_destroy();
header("Location: http://".$HTTP_SERVER_VARS['HTTP_HOST'].$PHP_SELF);
}
else
imt_logout();
}
imt_login();
jon at toolz4schoolz dot com ¶
8 years ago
I can't get the second example to work. The regular expression is beyond the scope of this programmer so I rewrote it as seven easy-to-read regular expressions and it works.
Here's the whole function http_digest_parse() that works for me:
<?php
// function to parse the http auth header
function http_digest_parse($txt) {
// protect against missing data
/*
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
preg_match_all('@(\w+)=(?:([\'"])([^\2]+)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
*/
$res = preg_match("/username=\"([^\"]+)\"/i", $txt, $match);
$data['username'] = $match[1];
$res = preg_match('/nonce=\"([^\"]+)\"/i', $txt, $match);
$data['nonce'] = $match[1];
$res = preg_match('/nc=([0-9]+)/i', $txt, $match);
$data['nc'] = $match[1];
$res = preg_match('/cnonce=\"([^\"]+)\"/i', $txt, $match);
$data['cnonce'] = $match[1];
$res = preg_match('/qop=([^,]+)/i', $txt, $match);
$data['qop'] = $match[1];
$res = preg_match('/uri=\"([^\"]+)\"/i', $txt, $match);
$data['uri'] = $match[1];
$res = preg_match('/response=\"([^\"]+)\"/i', $txt, $match);
$data['response'] = $match[1];
//return $needed_parts ? false : $data;
return $data;
}
?>
norther ¶
8 years ago
If you are using PHP + IIS, make sure to set HTTP Error 401;5 to Default in IIS directory config. Otherwise it won't prompt for username and password but just show an error message.
ian AT iyates DOT co DOR uk ¶
13 years ago
In my use of HTTP Authentication, I've found that some Apache setups swap around the usual variables.
Here's the fix I made so that you can still use PHP_AUTH_USER and PHP_AUTH_PW. Hope it helps someone
<?php
## Apache server fix ##
if (isset($_SERVER['PHP_AUTH_USER']) && !isset($_ENV['REMOTE_USER']))
$_ENV['REMOTE_USER'] = $_SERVER['PHP_AUTH_USER'];
if (isset($_SERVER['AUTH_PASSWORD']) && !isset($_ENV['PHP_AUTH_PW']))
$_ENV['PHP_AUTH_PW'] = $_SERVER['AUTH_PASSWORD'];
?>
mg at evolution515 dot net ¶
10 years ago
Example for digest doesn't work (at least for me):
use this fix:
--------------
preg_match_all('@(\w+)=(?:(([\'"])(.+?)\3|([A-Za-z0-9/]+)))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[4] ? $m[4] : $m[5];
unset($needed_parts[$m[1]]);
}
It's also better to but to put the Auth-Digest-Header in a function and call it on unsuccessful authentification again. Otherwise users only have the chance to submit their username/password just one time.
nuno at mail dot ideianet dot pt ¶
13 years ago
In Windows 2003 Server/IIS6 with the php4+ cgi I only get HTTP authentication working with:
<?php header("Status: 401 Access Denied"); ?>
with
<?php header('HTTP/1.0 401 Unauthorized'); ?>
doesn't work !
I also need in "Custom Errors" to select the range of "401;1" through "401;5" and click the "Set to Default" button.
Thanks rob at theblip dot com
ale (at) tana (dot) it ¶
7 years ago
After we do auth with PHP in Apache, we miss the userid in the access.log file, unless we redefine the LogFormat to be "%{REMOTE_USER}e" rather than "%u", and upon successful authentication we do
<?php
apache_setenv('REMOTE_USER', $user);
?>
steve at topozone dot com ¶
14 years ago
The method described in the text does not appear to work with PHP in cgi mode and Apache-2.x. I seems that Apache has gotten stricter or introduced a bug such that you can initiate the authentication, but Apache seems to try to authenticate the browser response which always fails because it does not know what to authenticate against and the headers never get passed back to the PHP script.
I didn't try it with PHP as a module.
mt at shrewsbury dot org dot uk ¶
9 years ago
On my servers here, the standard rewrite spell
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
to set $_SERVER[REMOTE_USER] with digest authentication results in the entire digest being bundled into $_SERVER[REMOTE_USER]
I have used this :
RewriteCond %{HTTP:Authorization} username=\"([^\"]+)\"
RewriteRule .* - [E=REMOTE_USER:%1,L]
And it seems to work successfully.
blah at blah dot com ¶
10 years ago
Getting PHP Authentication to work with CGI-bin.
You must have mod_rewrite installed for this to work. In the directory (of the file) you want to protect, for the .htaccess file:
# PHP (CGI mode) HTTP Authorization with ModRewrite:
# most right example with header check for non empty:
RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteRule ^test.php$ test.php?login=%{HTTP:Authorization}
Change the Rewrite rule to whatever you want it to be. For simplicity, this example only applies to one file, test.php and only if the HTTP Authorization needs to take place.
In the php file:
<?
if (isset($_GET['login'])) {
$d = base64_decode( substr($_GET['login'],6) );
list($name, $password) = explode(':', $d);
echo 'Name:' . $name . "<br>\n";
echo 'Password:' . $password . "<br>\n";
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You are not authorized. Bad user, bad!';
exit;
}
?>
You need to get rid of the first 6 characters for some reason, then decode the Auth data from its base64 format. Then it's a simple matter of extracting the data. You can even pass the data to the $_SERVER variables $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These are the variables that get the login data if you have PHP running as an Apache module. This is useful for mods or plugins.
