php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #29805 HTTP Authentication Issues
Submitted: 2004-08-24 03:39 UTC Modified: 2005-04-05 21:12 UTC
Votes:10
Avg. Score:3.4 ± 1.1
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: michaelw at webcentral dot com dot au Assigned: thetaphi (profile)
Status: Closed Package: iPlanet related
PHP Version: 4CVS, 5CVS (2004-12-11) OS: Solaris 9
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: michaelw at webcentral dot com dot au
New email:
PHP Version: OS:

 

 [2004-08-24 03:39 UTC] michaelw at webcentral dot com dot au 
Description:
------------
Hi,

PHP HTTP Authentication under Sun One Webserver 6.0 (and presumably any iPlanet variant) doesn't seem to work correctly.

The PHP_AUTH_USER and PHP_AUTH_PW variables don't seem to get set. (This is with Safe Mode disabled). 

Additionally, with Safe Mode enabled, I cannot determine the username or password entered by the user.  



Reproduce code:
---------------
<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
   header('WWW-Authenticate: Basic realm="My Realm"');
   header('HTTP/1.0 401 Unauthorized');
   echo 'Text to send if user hits Cancel button';
   exit;
  } else {
   echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
   echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>


Expected result:
----------------
Under apache, the output is:

Hello testing.

You entered 123 as your password.

(when username is testing and 123 is password)

Under SunOne, the username/password box just keeps redisplaying. 

Actual result:
--------------
Under SunOne, the username/password box just keeps redisplaying.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-24 23:51 UTC] thetaphi@php.net 
Have you installed the fake authenticator "php4_ as written in the docs?

"To use PHP Authentication on a single directory, add the following: <Object ppath="d:\path\to\authenticated\dir\*">
AuthTrans fn=php4_auth_trans
</Object>"

The problem is: iPlanet SunONE does not send the password to PHP so it is not a problem of PHP. With the code from the docs you tell SunONE to pass the authentication data to the "fake" function "php4_auth_trans" that only says "auth done" and no other AuthTrans directives from obj.conf get executed. This switches of all other authentication in the server (Java, .htaccess,...) but lets PHP get the data. By limiting this to a directory you can leave the SunONE authentication for other directories intact.
 [2004-08-25 00:45 UTC] michaelw at webcentral dot com dot au 
From obj.conf

<Object name="default">
AuthTrans fn=php4_auth_trans

<snipped>
 [2004-08-25 11:05 UTC] thetaphi@php.net 
The PHP AuthTrans must be the first AuthTrans directive. I can take a look at this the next days.
 [2004-08-25 11:10 UTC] michaelw at webcentral dot com dot au 
Currently, it is the ONLY AuthTrans directive.
 [2004-08-30 01:19 UTC] michaelw at webcentral dot com dot au 
Any progress with this ?
 [2004-09-14 03:59 UTC] michaelw at webcentral dot com dot au 
Hi,

Just wondering if you've found time to look at this ?

Regards,
Michael Ward.
 [2004-09-15 23:33 UTC] thetaphi@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

For newer servers (SunONE 6.0) leave out the php4_auth_trans directive in *.obj.conf, it works without!
 [2004-09-15 23:55 UTC] thetaphi@php.net 
Sorry, you cannot take the PHP4 latest stable snapshot now, because it is frozen (release of 4.3.9) and this bug is not critical. After release of 4.3.9 this is fixed in CVS.
 [2004-09-22 00:02 UTC] thetaphi@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Snapshots with this patch are available now.
 [2004-09-22 11:23 UTC] michaelw at webcentral dot com dot au 
Ok, the new CVS release works correctly if safe_mode is disabled. However, if safe_mode is enabled, there does not appear to be any way to get authentication information. 

This presents a problem for me, at least, as in my environment I need to run PHPMyAdmin (using HTTP authentication) with safe_mode turned on. 

Is there some method for obtaining authentication information whilst running under safe mode ?
 [2004-09-26 22:42 UTC] thetaphi@php.net 
Two things you can do at this time, the remove of the safe_mode security check for NSAPI is under discussion:

a) Remove the "if" clause from nsapi.c: php_handle_auth_data(pblock_findval("authorization", rq->headers) TSRMLS_CC);

b) Disable Safe-Mode only for this application. With NSAPI you can do this in vserver.obj.conf:
* Create a new Style in Server Manager and assign this style to the PHPMyAdmin directory
* Change the obj.conf in that style (<Object name="bla">) and add the php4_execute-service as in the "default" object; but add a safe_mode=0 to the end of the line (this is an additional php.ini value)
 [2004-10-04 01:02 UTC] michaelw at webcentral dot com dot au 
Hey,

As a workaround, I disabled the if-check, so it sets the variables regardless of whether its in safe-mode or not. Any information on whether this will remain as-is in CVS, or .. ?
 [2005-04-05 21:12 UTC] thetaphi@php.net 
All SAPIs behave in this way. No need to change this.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 24 19:00:01 2025 UTC