Need a little help with PHP_AUTH_(USER|PW) |
So this question is a little more about PHP I guess, than it is specific to CodeIgniter, but I figure theres a bunch of very smart people her, so ill try!
My application will authenticate using the username and password from wherever it can get it from, heres the basic code: PHP Code: // First check for any POST credentials.. So that works perfect when using POST, or when using curl on the command line and specifying the credentials via --user. What I would also like to have it work with, is when you specify the credentials in the URL via http://user:password@application/. I put a page with just the phpinfo() output, and when I visit it while specifying the credentials in the URL, it doesn't show that the PHP_AUTH_USER is set. I also created a page with the following PHP: PHP Code: public function http_auth() and when I visit it with the credentials in the URL, the browser will alert that its logging me in, but PHP/Apache doesnt see it Screenshot: http://d.pr/i/xRpN I was wondering if anyone has a way around this? Id just like the users to be able to link directly to pages with the username/password, and have it login, as opposed to redirect them to the login page. The authentication is done via PHP, not HTTP Basic Auth in Apache
In the manual discussion of HTTP Authentication, there's a user note regarding a workaround for a missing Authorization header. There are also a few StackOverflow posts about it which tend to eventually come back to this one.
I also missed the following the first time I read through the PHP manual page above (this is in the manual itself, not a user comment): Quote: In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER']. (10-08-2015, 06:49 AM)mwhitney Wrote: . There are also a few StackOverflow posts about it which tend to eventually come back to this one.I found that one too, doesn't seem to work though. (10-08-2015, 06:49 AM)mwhitney Wrote: I also missed the following the first time I read through the PHP manual page above (this is in the manual itself, not a user comment): Thats interesting, because when I worked at PayPal, and I had a webpage auth via LDAP, in Apache, I noticed the username and password were stored in plain text in the PHP_AUTH variables, which caused my manager to make me scrap the project.. lol Ill try some of these suggestions out, but I believe these work by causing the auth prompt to pop up, I was hoping to avoid that P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail (10-08-2015, 07:02 AM)jLinux Wrote: P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail That one uses the following: Code: RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L] Try removing the ",L" from the end, since that tells mod_rewrite to stop processing rules. You'll also probably need it to be before any other rewrite rules. You may also need to check for REDIRECT_ variables, depending on your rules and where they are defined. (10-08-2015, 08:19 AM)mwhitney Wrote:(10-08-2015, 07:02 AM)jLinux Wrote: P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail I forgot to say in my other post, but I did try it with and without the L on the end. Also, this is in a separate folder from CodeIgniter, so it has its own .htaccess, so theres no other rules above it. Have you ever tried it? (successfully?)
I can't really use this type of authentication in my project, so I'm mostly going on the documentation. However, I'm assuming that mod_rewrite is losing the information you're looking for when it rewrites the URL for CodeIgniter (since many of the common rewrite directives used by CI users appear to possibly dump/lose/replace the data when rewriting the URL).
(10-13-2015, 09:51 AM)mwhitney Wrote: I can't really use this type of authentication in my project, so I'm mostly going on the documentation. However, I'm assuming that mod_rewrite is losing the information you're looking for when it rewrites the URL for CodeIgniter (since many of the common rewrite directives used by CI users appear to possibly dump/lose/replace the data when rewriting the URL). Thats a very good theory, I wouldnt at all be surprised about that. |
Welcome Guest, Not a member yet? Register Sign In |