|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10079 Header Function Within IF construct
Submitted: 2001-03-30 11:38 UTC Modified: 2001-04-05 15:10 UTC
From: dgrimes at scvl dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: OS:
Private report: No CVE-ID: None
 [2001-03-30 11:38 UTC] dgrimes at scvl dot com

// Header("WWW-Authenticate: Basic realm=\"Realm\"");

if (!$PHP_AUTH_USER) {
        Header("WWW-Authenticate: Basic realm=\"Realm\"");
        Header("HTTP/1.0 401 Unauthorized");
} else
        echo "else";


Compiler: gcc 2.95.2
Make: GNU 3.79
FSU Pthreads: 3.8

Apache: 1.3.19
MySQL: 3.23.36
PHP: 4.0.4pl1
Freetype: 2.0
LibPNG: 1.0.9
LibJPEG: 6b
Libgd: 1.8.4

PHP is compiled as an Apache module with the following options:

--with-mysql --with-apache --with-pdflib --with-gd --with-trans-sid --enable-track-vars --enable-sysvsem --enable-sysvshm

Description of problem:

Both sides of the IF construct are being executed when testing the $PHP_AUTH_USER variable AND issuing the header function. I posted this question in the general mail list but have received any reponse from

Using the script list above, follow the steps shown below to produce this problem:

1. Close all instances of your browser (I am using IE-5.01 and I have not tried any other browsers). However I don't believe it is a browser issue.

2. Run the script shown above.

3. Enter some user ID and password... Everything so far works fine.

4. Look in the directory where the script is stored. There should be a file called xxxx. This indicates that $PHP_AUTH_USER was NOT set.

5. Remove the file xxxx.

6. Refresh the browser. Look for the file xxxx. Notice that xxxx is present; which should only happen if $PHP_AUTH_USER is NOT set....YET "else" was printed on screen which indicates that $PHP_AUTH_USER IS set.

7. Uncomment the commented "header" line and notice that a user ID and password prompt is always issued in this case.

My questions are:

1. Why are both sides of the conditional "If (!isset($PHP_AUTH_USER))" being executed?

2. Why, when $PHP_AUTH_USER is not set, the 'exec(">xxxx")' runs on subsequent refreshes, but no prompt for a new user ID and password is issued?

3. Why, if a authenticate header is sent before testing, a user ID and password prompt is issued?

Thanks for taking a look at this.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-30 12:34 UTC]
Are you running Apache as standalone or inetd?

If I remember right, PHP/Apache/inetd likes to lose env variables.

 [2001-03-30 15:10 UTC]
Use the web interface, do not reply to these emails.

I did not try it because i did not have the time.  I just  tried it and did not get those same results.

After the first login it did create the file, I deleted, refreshed, no file...did what it is supposed to.

I am however using a CVS version of 4.0.5, have you tried it with the CVS version?


 [2001-03-30 15:12 UTC]
Open -> Feedback

That's rather annoying that the state is not saved, is anyone working on this?  I know there is a new system coming, but not for a while.  Or where is it located in CVS and I'll fix it.

 [2001-03-30 15:21 UTC] dgrimes at scvl dot com
Apache is running standalone as a daemon.
No, I havn't tried 4.0.5. I'll give it try ... Just tell where to download it.

 [2001-03-30 15:45 UTC]

 [2001-03-30 16:56 UTC] dgrimes at scvl dot com
I guess I'm doing this right... I downloaded php4-200103301245.tar.gz. Unzipped, untarred and configured using --with-mysql --with-apache --with-trans-sid --enable-track-vars --enable-sysvsem --enable-sysvshm

All configured fine. But make is not making....

I'm getting symbol referencing errors. It is quite possible that this version is not quite ready for SCO OpenServer. If you want, I'll send you the debug.log file from the make operation. I'm not sure if you even mess with installation problems of PHP in this forum.

I have a question: Is the annomally I reported a bug in 4.0.4pl1 or is it just my system?

 [2001-04-03 09:31 UTC] dgrimes at scvl dot com
I was able to get PHP-4.0.5 installed and I still have the same problem. Is there anything else you would like me to try? Is this a bug or expected behaviour?

Thanks for help.

 [2001-04-03 10:30 UTC]
Try this script:


if(!isset($PHP_AUTH_USER)) {
    header('WWW-Authenticate: Basic Realm="A Test R"');
    header("HTTP/1.0 401 Unauthorized");
    echo "boo";
} else {
    echo "else";


I can't reproduce the problem you have.


p.s. Are you sure that you have this in your httpd.conf:

ServerType standalone 

 [2001-04-03 18:30 UTC] dgrimes at scvl dot com
Yes, I double checked it and ServerType standalone is in my httpd.conf file.

If there is anything I can do to help you debug the problem, just let me know. If you want you can dial in and see for your self. This is not a production server that I am testing on, so we can do whatever to track this down.

The problem I'm having, is that I want to do some authentication but code that should not execute is getting executed.

 [2001-04-05 11:55 UTC] dgrimes at scvl dot com
I did some more testing and have found that it is indeed browser related. MSIE 5.01 SP2 have the problem and 5.00 and 5.5 do not. Have you tested with this browser? Also, why would PHP behave as it does? Is it a timing issue?

 [2001-04-05 15:10 UTC]
As this is a browser problem with only one browser and one
version of it -> closed. It's a bug in IE 5.01 SP2 so 
report it to Microsoft. IIRC they only support > 5.5 now so
good luck. 


PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Dec 08 19:03:42 2022 UTC