473,898 Members | 2,907 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Questions about HTTP headers sent with PHP in HTTP authentication

Here is an example from the PHP Manual

<?php

if ((!isset($_SERV ER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>

Questions.

1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');

2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]

3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.

Jul 4 '07 #1
3 3167
On Jul 3, 8:01 pm, Reporter <TruckSaf...@gm ail.comwrote:
Here is an example from the PHP Manual

<?php

if ((!isset($_SERV ER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;} else {

echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";}

?>

Questions.

1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');
It's both. The status code (401) is sent as a special header -- which
begins with HTTP/1.0. For instance, you would send the status code
302 as a header with the content "HTTP/1.0 302 Moved Temporarily."
>
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]
You typically only send one response to the browser. One request =
one response. What the manual is talking about is sending multiple
headers in a single call to the header() function. If you call the
header() function twice, you will have sent two headers as part of the
same response.
>
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.
I'm not entirely sure, but I know the above code works. You could try
using a packet sniffer to see what is actually sent back to the server.

Jul 4 '07 #2
Reporter wrote:
1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');
And how are status codes sent to the browser if not?? Next question,
please...
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]
This means that you can send more than one response (headers+conten t) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.
None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.

Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.

In case the user hits the "cancel" button, that previously discarded HTML is
shown.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
Jul 4 '07 #3
On Jul 3, 7:10 pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.orgwrote:
Reporter wrote:
1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');

And how are status codes sent to the browser if not?? Next question,
please...
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]

This means that you can send more than one response (headers+conten t) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.

None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.

Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.

In case the user hits the "cancel" button, that previously discarded HTMLis
shown.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
OK those are great answers. Thank you very much.

Suppose I create this php file:

<?php

if ((!isset($_SERV ER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm1"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm2"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>
Does that cause one or three response headers to be sent back to the
browers?

I tried a browser simulator at http://www.wannabrowser.com/index.php
and it logged the following:

=============== =============== =============== =============== =============== ====
HTTP/1.1 401
Date: Wed, 04 Jul 2007 01:18:37 GMT
Server: Apache
WWW-Authenticate: Basic realm="My Realm2"
Transfer-Encoding: chunked
Content-Type: text/html

Text to send if user hits Cancel button
=============== =============== =============== =============== =============== ====

This seems to indicate PHP sent only one response message with only
the third instance of the WWW-Authenticate header, but I am not sure
how accurately it is listing everything.

Where can I get a sniffer?

Thanks.
Jul 4 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
3197
by: knoak | last post by:
Hi there, I've found a script at these great Google fora. a script to send emails with attachments. The script is below this message, name etc. aren't mine, but from the original post. My questions are: - Is this script extra heavy for a server, or should it be no problem?
2
2141
by: Michael Foord | last post by:
To be fair this is more a question about http than directly about python... but I'm trying to work with it from python and would appreciate some help. I'm writing a cgiproxy to remotely fetch webpages and am struggling with authentication. From the comments at http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/267197 I took the code to do basic authentication when a server replies with a 401 error - but that only authenticates the...
7
9300
by: Michael Foord | last post by:
#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. # No warranty express or implied for the accuracy, fitness to purpose
1
15112
by: Newbie | last post by:
I have set up an ASP script (with some help from microsoft.public.inetserver.asp.general!) that grabs the windows username of the user and puts it into an Access database. It is setup on IIS5 as a virtual directory and will only be used internally on our network. The script works fine with the authentication set as "basic authentication" but this prompts the user for a login and password. I want it to be automated which I believe would...
3
3326
by: Paul Fi | last post by:
1.communication between the client and server has to go thru client and server channel sinks before its turned to object method invokations those channel sinks carry messages thru and other header informations now how can u secure those header information like the requestheaders from being modified during its way to the server say by a third party that acts illegaly to those information? 2.what are the header information that gets...
14
3154
by: Chris Fink | last post by:
Looking for some general design recommendations on an authentication scheme for B2B transactions inbound via an HTTP Post Listener ASPX page that reads the binary stream from the request body. I would like to add an authentication process that validates the incoming transaction prior to processing the post content. Although adding username and password to the post content is feasable, it is one of the last solutions since it will involve...
3
6939
by: Patrick Fogarty | last post by:
I am programming what is to be a web service client that will use an HTTP-POST to request and retrieve data. The remote server (written in java for what it's worth) requires basic authentication as per RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are failing. The server requires the header to be present with the request. For security reasons, it will not reply in any way if the header is not present. ...
4
6074
by: shamirza | last post by:
4 9 6 18.ATLAS-AJAX Note: - As an IT professional it's useful to know what the difference is between Hype and usefulness. For instance if there is a new technology coming in many programmers just want to implement it because they want to learn it?. But any new technology becomes useful if it is useful to the user. And Ajax is one of the technologies which will be useful as it really
5
11534
by: gibble | last post by:
Hi, I am going crazy. We get a hundred or so of these errors each day and while the fix would seem obvious, the error does not include a line number! -------------------- Process information: Process ID: 10084 Process name: w3wp.exe
0
9841
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10858
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10949
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10484
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9662
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
8036
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5882
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
6077
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
4296
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.