By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,634 Members | 1,888 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,634 IT Pros & Developers. It's quick & easy.

Questions about HTTP headers sent with PHP in HTTP authentication

P: n/a
Here is an example from the PHP Manual

<?php

if ((!isset($_SERVER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>

Questions.

1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');

2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]

3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.

Jul 4 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On Jul 3, 8:01 pm, Reporter <TruckSaf...@gmail.comwrote:
Here is an example from the PHP Manual

<?php

if ((!isset($_SERVER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;} else {

echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";}

?>

Questions.

1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');
It's both. The status code (401) is sent as a special header -- which
begins with HTTP/1.0. For instance, you would send the status code
302 as a header with the content "HTTP/1.0 302 Moved Temporarily."
>
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]
You typically only send one response to the browser. One request =
one response. What the manual is talking about is sending multiple
headers in a single call to the header() function. If you call the
header() function twice, you will have sent two headers as part of the
same response.
>
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.
I'm not entirely sure, but I know the above code works. You could try
using a packet sniffer to see what is actually sent back to the server.

Jul 4 '07 #2

P: n/a
Reporter wrote:
1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');
And how are status codes sent to the browser if not?? Next question,
please...
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]
This means that you can send more than one response (headers+content) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.
None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.

Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.

In case the user hits the "cancel" button, that previously discarded HTML is
shown.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
Jul 4 '07 #3

P: n/a
On Jul 3, 7:10 pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.orgwrote:
Reporter wrote:
1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');

And how are status codes sent to the browser if not?? Next question,
please...
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]

This means that you can send more than one response (headers+content) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.

None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.

Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.

In case the user hits the "cancel" button, that previously discarded HTMLis
shown.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
OK those are great answers. Thank you very much.

Suppose I create this php file:

<?php

if ((!isset($_SERVER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm1"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm2"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>
Does that cause one or three response headers to be sent back to the
browers?

I tried a browser simulator at http://www.wannabrowser.com/index.php
and it logged the following:

================================================== =============================
HTTP/1.1 401
Date: Wed, 04 Jul 2007 01:18:37 GMT
Server: Apache
WWW-Authenticate: Basic realm="My Realm2"
Transfer-Encoding: chunked
Content-Type: text/html

Text to send if user hits Cancel button
================================================== =============================

This seems to indicate PHP sent only one response message with only
the third instance of the WWW-Authenticate header, but I am not sure
how accurately it is listing everything.

Where can I get a sniffer?

Thanks.
Jul 4 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.