• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Need a little help with PHP_AUTH_(USER|PW)

#1
So this question is a little more about PHP I guess, than it is specific to CodeIgniter, but I figure theres a bunch of very smart people her, so ill try!

My application will authenticate using the username and password from wherever it can get it from, heres the basic code:
PHP Code:
// First check for any POST credentials..
if( self::$CI->input->post('username') AND self::$CI->input->post('password') )
{
    
$username   self::$CI->input->post('username');
    
$password   self::$CI->input->post('password');
}

// For command line purposes, check for HTTP auth credentials, if they
// exist, then set the username and password posts as those values
elseif((isset($_SERVER['PHP_AUTH_USER'])) AND (isset($_SERVER['PHP_AUTH_PW'])))
{
    
$username $_SERVER['PHP_AUTH_USER'];
    
$password $_SERVER['PHP_AUTH_PW'];


So that works perfect when using POST, or when using curl on the command line and specifying the credentials via --user.

What I would also like to have it work with, is when you specify the credentials in the URL via http://user:password@application/.

I put a page with just the phpinfo() output, and when I visit it while specifying the credentials in the URL, it doesn't show that the PHP_AUTH_USER is set.

I also created a page with the following PHP:

PHP Code:
public function http_auth()
    {
        if( ! isset(
$_SERVER['PHP_AUTH_USER']))
        {
            
header('HTTP/1.0 401 Unauthorized');
        }

        echo 
"Username is " . @$_SERVER['PHP_AUTH_USER'] ?: "Not Set";
        echo 
"<br>Server Auth: " . @$_SERVER['HTTP_AUTHORIZATION']?: "Not Set";
    } 

and when I visit it with the credentials in the URL, the browser will alert that its logging me in, but PHP/Apache doesnt see it

Screenshot: http://d.pr/i/xRpN

I was wondering if anyone has a way around this? Id just like the users to be able to link directly to pages with the username/password, and have it login, as opposed to redirect them to the login page.

The authentication is done via PHP, not HTTP Basic Auth in Apache
Reply

#2
In the manual discussion of HTTP Authentication, there's a user note regarding a workaround for a missing Authorization header. There are also a  few StackOverflow posts about it which tend to eventually come back to this one.

I also missed the following the first time I read through the PHP manual page above (this is in the manual itself, not a user comment):

Quote: In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

Note: Configuration Note
PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.
Reply

#3
(10-08-2015, 06:49 AM)mwhitney Wrote: . There are also a  few StackOverflow posts about it which tend to eventually come back to this one.
I found that one too, doesn't seem to work though.


(10-08-2015, 06:49 AM)mwhitney Wrote: I also missed the following the first time I read through the PHP manual page above (this is in the manual itself, not a user comment):


Quote: In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

Note: Configuration Note
PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.


Thats interesting, because when I worked at PayPal, and I had a webpage auth via LDAP, in Apache, I noticed the username and password were stored in plain text in the PHP_AUTH variables, which caused my manager to make me scrap the project.. lol

Ill try some of these suggestions out, but I believe these work by causing the auth prompt to pop up, I was hoping to avoid that

P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail
Reply

#4
(10-08-2015, 07:02 AM)jLinux Wrote: P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail

That one uses the following:

Code:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]


Try removing the ",L" from the end, since that tells mod_rewrite to stop processing rules. You'll also probably need it to be before any other rewrite rules. You may also need to check for REDIRECT_ variables, depending on your rules and where they are defined.
Reply

#5
(10-08-2015, 08:19 AM)mwhitney Wrote:
(10-08-2015, 07:02 AM)jLinux Wrote: P.S. This is what I tried: http://php.net/manual/en/features.http-auth.php#52405 With no avail

That one uses the following:


Code:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]


Try removing the ",L" from the end, since that tells mod_rewrite to stop processing rules. You'll also probably need it to be before any other rewrite rules. You may also need to check for REDIRECT_ variables, depending on your rules and where they are defined.

I forgot to say in my other post, but I did try it with and without the L on the end. Also, this is in a separate folder from CodeIgniter, so it has its own .htaccess, so theres no other rules above it. Have you ever tried it? (successfully?)
Reply

#6
I can't really use this type of authentication in my project, so I'm mostly going on the documentation. However, I'm assuming that mod_rewrite is losing the information you're looking for when it rewrites the URL for CodeIgniter (since many of the common rewrite directives used by CI users appear to possibly dump/lose/replace the data when rewriting the URL).
Reply

#7
(10-13-2015, 09:51 AM)mwhitney Wrote: I can't really use this type of authentication in my project, so I'm mostly going on the documentation. However, I'm assuming that mod_rewrite is losing the information you're looking for when it rewrites the URL for CodeIgniter (since many of the common rewrite directives used by CI users appear to possibly dump/lose/replace the data when rewriting the URL).

Thats a very good theory, I wouldnt at all be surprised about that.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.