PHP :: Bug #20461 :: Unable to access $PHP_AUTH_USER or $PHP_AUTH

Bug #20461	Unable to access $PHP_AUTH_USER or $PHP_AUTH_PW
Submitted:	2002-11-17 01:11 UTC	Modified:	2002-11-17 23:44 UTC
From:	shawn at boldar dot com	Assigned:
Status:	Not a bug	Package:	Apache related
PHP Version:	4CVS-2002-11-17	OS:	Linux 2.4.8
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2002-11-17 01:11 UTC] shawn at boldar dot com

I recently decided to upgrade to GD 2.0 but was having problems getting it to compile with 4.2.3 or any of the older versions of PHP, which is odd because I've had it work before.  Anyways, as a last resort, I decided to download one of the stable CVS snapshots and, lo and behold, it worked fine.

The only problem I'm having now is that I can't seem to access $PHP_AUTH_USER or $PHP_AUTH_PW, and I have a few applications on my site that depend on being able to access these variables.  The variables appear to be empty when I reference them.  I am using the exact same configure line when I compiled the CVS version of PHP as I used when I tried the other versions...

./configure --with-apxs --with-mysql --enable-ftp --with-session --with-zlib-dir=/usr/local --with-gd=/usr/local --with-jpeg-dir=/usr/local --with-png-dir=/u
sr/local --with-freetype-dir=/usr/local --with-mcal=/usr/local --with-mhash=/usr/local

I have GD 2.0 installed under /usr/local, as indicated by the configure line above.  If you need any additional information, please contact me.  Thanks in advance for your help.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-11-17 05:32 UTC] sander@php.net

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

[2002-11-17 13:01 UTC] philip@php.net

Is the php directive register_globals on or off?  The default changed in PHP 4.2.0 from on to off, phpinfo() will tell you your true setting.

[2002-11-17 17:57 UTC] shawn at boldar dot com

register_globals is on.. i know the default changed, but it's still using the same php.ini file i've had for a while now.  i double-checked phpinfo() to be sure.

[2002-11-17 20:13 UTC] sniper@php.net

Are you using some external auth mechanism?

[2002-11-17 22:09 UTC] shawn at boldar dot com

not using any external auth... simply using regular http authentication through apache... certain directories on the webserver are protected, and so it pops up the box asking the user for username/password.. and then rather then ask them AGAIN for a login for some of my web-based apps, i simply pass the http auth info (via $PHP_AUTH_USER and $PHP_AUTH_PW) along to these apps.  the only problem is, those 2 variables don't seem to exist anymore for me.  nothing has changed in my configuration except for the fact that i'm now using the cvs version of php as opposed to 4.2.3 (if you read in my original bug report it explains why).

[2002-11-17 22:23 UTC] sniper@php.net

I can not reproduce this, it works fine here.
Try accessing the variables through $_SERVER variable:

$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']

And what Apache version are you using?
What do you mean with "regular http authentication through apache" ??

[2002-11-17 22:43 UTC] shawn at boldar dot com

tried using $_SERVER already, no dice.

i meant using the mod_auth module in apache to protect certain directories.. when those directories are accessed, the browser pops up a window for the user to enter in their username/password for that resource...

[2002-11-17 22:45 UTC] shawn at boldar dot com

forgot to answer your other question.. using apache 1.3.20 -- been wanting to upgrade to 2.0 but have had a whole different set of problems w/ that, so taking things one step at a time...

[2002-11-17 23:44 UTC] sniper@php.net

Then that is an external auth mechanism and means this
is not a bug in PHP:

From: http://www.php.net/manual/en/features.http-auth.php

"In order to prevent someone from writing a script which 
reveals the password for a page that was authenticated 
through a traditional external mechanism, the
PHP_AUTH variables will not be set if external 
authentication is enabled for that particular page. In this 
case, REMOTE_USER can be used to identify the
externally-authenticated user. So, $_SERVER['REMOTE_USER']. 

Configuration Note: PHP uses the presence of an AuthType 
directive to determine whether external authentication is in 
effect. Remember to avoid this directive for the context 
where you want to use PHP authentication (otherwise each 
authentication attempt will fail). 
"

There was a bug in previous PHP 4 versions which let the 
external authenticated usernames and passwords to be revealed for scripts. This is fixed in PHP 4.3.0.

(btw. you really should upgrade your apache to 1.3.27! And forget Apache2, it really is not ready for production use)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 16 17:01:37 2024 UTC