On Jul 3, 7:10 pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.orgwrote:
Reporter wrote:
1. This is a status code not a header, right? = header('HTTP/
1.0 401 Unauthorized');
And how are status codes sent to the browser if not?? Next question,
please...
2. According to the change log in the PHP manual, starting with 4.4.2
and 5.1.2 the header function now prevents more than one header to be
sent at once as a protection against header injection attacks. Does
this mean if I make multiple header calls the headers will be sent in
multiple response messages to the browser? Is this allowed? Can a
server send multiple response messages to one request?]
This means that you can send more than one response (headers+content) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
3. If you hit the "cancel" button on the browser user name/password
request dialog (as alluded to in the code snippet above), what message
does the browser send to the server.
None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.
Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.
In case the user hits the "cancel" button, that previously discarded HTMLis
shown.
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
OK those are great answers. Thank you very much.
Suppose I create this php file:
<?php
if ((!isset($_SERVER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm1"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm2"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>
Does that cause one or three response headers to be sent back to the
browers?
I tried a browser simulator at
http://www.wannabrowser.com/index.php
and it logged the following:
================================================== =============================
HTTP/1.1 401
Date: Wed, 04 Jul 2007 01:18:37 GMT
Server: Apache
WWW-Authenticate: Basic realm="My Realm2"
Transfer-Encoding: chunked
Content-Type: text/html
Text to send if user hits Cancel button
================================================== =============================
This seems to indicate PHP sent only one response message with only
the third instance of the WWW-Authenticate header, but I am not sure
how accurately it is listing everything.
Where can I get a sniffer?
Thanks.
