php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26606 WWW-Authenticate always fails if register_globals=off
Submitted: 2003-12-12 11:15 UTC Modified: 2003-12-12 12:33 UTC
From: lutz dot schwarz at cgs dot de Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.3.2 OS: Win NT
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lutz dot schwarz at cgs dot de
New email:
PHP Version: OS:

 

 [2003-12-12 11:15 UTC] lutz dot schwarz at cgs dot de
Description:
------------
If registering global variables is enabled (php.ini: register_globals = on), the variables $PHP_AUTH_USER and $GLOBALS['PHP_AUTH_USER'] are implicitely set to the values the browser sent. That works fine.

In case registering global variables is disabled (php.ini: register_globals = off), neither $PHP_AUTH_USER nor $GLOBALS['PHP_AUTH_USER'] is set. This IS desired for $PHP_AUTH_USER but it seems to be wrong for $GLOBALS['PHP_AUTH_USER'].

Since I found no other way to get the username and password enterred by the user, a site can not use "WWW-Authenticate" if register_globals is off.

I use PHP compiled as Apache module on a Windows-NT4.

PHP Version:
PHP 4.3.2 (cgi-fcgi), Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
    with DBG v2.11.23, (C) 2000,2001,2002,2003, by Dmitri Dmitrienko

Apache version:
Server version: Apache/2.0.46
Server built:   Jun  2 2003 20:35:59


Reproduce code:
---------------
<?php
    if (!isset($GLOBALS['PHP_AUTH_USER']))
    {
        Header( "WWW-Authenticate: Basic realm=\"Test Authentication System\"");
        Header( "HTTP/1.0 401 Unauthorized");
        echo "You must enter a valid login ID and password to access this resource.\n";
        exit;
    }
    // never reached if "register_globals = Off" in php.ini
    echo "Hello {$GLOBALS['PHP_AUTH_USER']} !!<br>";
?>


Expected result:
----------------
Hello what_ever_i_entered_as_username !!


Actual result:
--------------
The browser repeats showing the authentication dialog until pressing cancel. Then the browser shows:
You must enter a valid login ID and password to access this resource.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-12 11:54 UTC] lutz dot schwarz at cgs dot de
The value of PHP_AUTH_USER can be found in $_SERVER['PHP_AUTH_USER'] rather than in $GLOBALS['PHP_AUTH_USER'] ...

I close the bug report.
 [2003-12-12 12:33 UTC] mgf@php.net
user error => bogus
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 02:01:29 2024 UTC