php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19207 php-cgi.exe does not correctly set HTTP status
Submitted: 2002-08-30 20:09 UTC Modified: 2002-11-22 04:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Wendell at thePinegars dot com Assigned:
Status: Closed Package: IIS related
PHP Version: 4CVS-2002-08-30 OS: Windows 2000/.Net Server RC1
Private report: No CVE-ID:
 [2002-08-30 20:09 UTC] Wendell at thePinegars dot com
The following code fragment works great with PHP 4.2.2 on IIS:

  Header("WWW-authenticate: basic realm=Logon");
  Header("HTTP/1.1 401 Unauthorized");
  echo "<HTML>\n";
  echo " <HEAD>\n";
  echo " <TITLE>Authorization Required</TITLE>\n";
  echo " </HEAD>\n";
  echo " <BODY BGCOLOR=#FFFFFF TEXT=#000000>\n";
  echo "  Invalid username and password with which to access this webpage.<P><br><br>\n";
  echo " </BODY>\n";
  echo "</HTML>\n";
  exit;

This code works correctly in 4.2.2.  It sets the status of the page to 401 and makes the browser prompt for the password.

However using php-cgi.exe in the latest 4.3.0 development builds in IIS the code does not work.  The browser receive a "HTTP/1.1 200 OK" instead of "HTTP/1.1 401 Unauthorized".  If I simply run the CGI script from the command prompt using php-cgi.exe in 4.3.0 I get the following:

Status: 401
Content-type: text/html
WWW-authenticate: basic realm=Logon

<HTML>
 <HEAD>
 <TITLE>Authorization Required</TITLE>
 </HEAD>
 <BODY BGCOLOR=#FFFFFF TEXT=#000000>
  Invalid username and password with which to access this webpage.<P><br><br>
 </BODY>
</HTML>

Running php.exe 4.2.2 from the console I get the following:

HTTP/1.1 401 Unauthorized
Content-type: text/html
WWW-authenticate: basic realm=Logon

<HTML>
 <HEAD>
 <TITLE>Authorization Required</TITLE>
 </HEAD>
 <BODY BGCOLOR=#FFFFFF TEXT=#000000>
  Invalid username and password with which to access this webpage.<P><br><br>
 </BODY>
</HTML>

Noticed that php 4.2.2 correctly returns the HTTP page status as "HTTP/1.1 401 Unauthorized" and php 4.3.0 only returns the tag "Status: 401".

The new tag "Status: 401" does not work in IIS, it needs to be the full "HTTP/1.1 401 Unauthorized".

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-04 21:30 UTC] kalowsky@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

I believe there was just a patch submitted that fixes this.  I could be wrong though too, please test and update if still valid. :\
 [2002-09-05 11:22 UTC] Wendell at thePinegars dot com
Just tried the latest snapshot php4-win32-200209051400.zip and the issue still exists.  php-cgi.exe returns the following headers:

Status: 401
Content-type: text/html
WWW-authenticate: basic realm=Logon

The correct headers for php-cgi.exe to work in IIS should be:

HTTP/1.1 401 Unauthorized
Content-type: text/html
WWW-authenticate: basic realm=Logon
 [2002-09-24 11:48 UTC] jmoore@php.net
what version of IIS are you using.. this works fine on Win XP Pro (No service pack) so IIS 5.0.

- James
--  
James Moore
jmoore@php.net
 [2002-09-24 13:03 UTC] Wendell at thePinegars dot com
I'm currently using IIS 6.0 in Windows.Net Server RC1 (build 3663).  Again, CGI PHP 4.2.2/4.2.3 works fine just not CGI PHP 4.3.0.
 [2002-11-15 04:13 UTC] edink@php.net
Marking this critical (fix before 4.3.0 final).
See the related discussion http://www.phpbuilder.com/mail/php-developer-list/2002092/0238.php

 [2002-11-22 04:17 UTC] edink@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

Please see new cgi.rfc2616_headers configuration directive in php.ini-dist.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 09:02:29 2014 UTC