By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,883 Members | 1,952 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,883 IT Pros & Developers. It's quick & easy.

PHP_AUTH_* and HTTP_AUTHORIZATION?

P: n/a
When the server sends out a WWW-Authenticate header combined with a
401 response code, you get prompted for a username / password.

On some servers, this username and password are then saved in
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. On others,
however, they aren't. So why, on these servers, isn't the value saved
in $_SERVER['HTTP_AUTHORIZE']? The authorize header in the HTTP
response is the header that contains the info that, anyway.

eg. Authorization: Basic YXNkZjphc2Rm

....which base64_decode()'s to 'asdf:asdf'.

It seems that most any header in the HTTP request is added to $_SERVER
via HTTP_* (even made up ones), so why is Authorize different?
Dec 21 '07 #1
Share this Question
Share on Google+
1 Reply


P: n/a
On 21 Dec, 19:58, yawnmoth <terra1...@yahoo.comwrote:
When the server sends out a WWW-Authenticate header combined with a
401 response code, you get prompted for a username / password.

On some servers, this username and password are then saved in
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. On others,
however, they aren't. So why, on these servers, isn't the value saved
in $_SERVER['HTTP_AUTHORIZE']? The authorize header in the HTTP
response is the header that contains the info that, anyway.

eg. Authorization: Basic YXNkZjphc2Rm

...which base64_decode()'s to 'asdf:asdf'.

It seems that most any header in the HTTP request is added to $_SERVER
via HTTP_* (even made up ones), so why is Authorize different?
Because HTTP only defines how the webserver and browser negotiate
authentication - not what gets passed via CGI/other API.

(BTW you should never use BASIC authentication over a non-SSL
connection - use digest instead - but this still won't protect against
MITM attacks)

C.
Dec 24 '07 #2

This discussion thread is closed

Replies have been disabled for this discussion.