php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24768 No way to clear PHP_AUTH_* variables if authorization fails
Submitted: 2003-07-23 08:09 UTC Modified: 2003-07-23 11:03 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: tgourrier at hotmail dot com Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.3.1 OS: All
Private report: No CVE-ID: None
 [2003-07-23 08:09 UTC] tgourrier at hotmail dot com
Description:
------------
When using the:
header('WWW-Authenticate: Basic realm="My Realm"');
mechanism, the PHP_AUTH_* variables are set and there is no way to clear or unset these variables if the authentication fails.

This is in contrast to the way that external authentication works (with Apache at least). If external authentication fails, the PHP_AUTH variables are not set (or at least they are cleared).

There should be some way within PHP to clear these variables if the authentication is not successful.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-23 08:33 UTC] iliaa@php.net
Try the script below with an .htpasswd/.htaccess protection. On my test server unless correct credentials are specified PHP_AUTH variables are not populated.

<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>
 [2003-07-23 09:04 UTC] tgourrier at hotmail dot com
I think you have run this script in a directory which is protected with a .htaccess file. That is not the scenario I am referring to. If you run the script you provided as an unprotected file, there is no checking to see if the credentials provided are correct. It just takes whatever the user enters, prints that out, and sets the PHP_AUTH_USER and PHP_AUTH_PW fields.

This is my point. In a real script, instead of just echoing out the userid and password in the else clause, you would validate it against some logic. If the provided username/password do not meet the criteria specified in your logic then at that point the authentication has failed -- but the PHP_AUTH variables are already set and there is no way to clear them.
 [2003-07-23 10:12 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If that is your intend you should keep .htpasswd is some unaccessible, non-web directory then AUTH variable will not be populated. Usage of .htpasswd without an appropriate .htaccess is wrong.
 [2003-07-23 10:51 UTC] tgourrier at hotmail dot com
I think you do not understand my scenario. My .htpasswd IS in a non-web directory, but this issue has nothing to do with .htpasswd files or .htaccess files. Let me clarify a little more.

I have a php page which I would like to users to access both without authenticating. If the users choose to authenticate, they may, and if they do so successfully, then the page will display additional content. If I use the default .htaccess directive "Require user", then the users will be forced to authenticate to view the page. Also, if this were the case, I would not need to use the: header('WWW-Authenticate: Basic realm="My Realm"') command, as the web server would force authentication.

In my scenario the authentication is invoked by some action the user takes. This action calls a script which has the header('WWW-Authenticate: ...') command in it. However, this command does not authenticate a user against anything -- it simply collects a username and password. It is then up to the remainder of the script to do the authentication.

What needs to be done is after the header() function collects the username and password, run some logic to authenticate the user. If this logic fails, then the user is NOT authenticated. The problem is the PHP_AUTH variables are already set, and there is no way to unset or clear them.

Take for example, I have a page that I would like to conditionally secure with a username of "foo" and a password of "fighters". I could use the following script:
<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    if ($_SERVER['PHP_AUTH_USER'] == "foo" &&
        $_SERVER['PHP_AUTH_PW'] == "fighters")
    {
        //the user is authenticated, continue processing
    } else {
        // user authentication has failed and PHP_AUTH
        // variables should not be set
    }
  }
?>

Of course, this is a very oversimplified logic for authenticating a user, but hopefully it illustrates my point.
 [2003-07-23 11:03 UTC] sniper@php.net
Basic auth is not the way to do that. There is no bug.

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Oct 23 07:03:32 2021 UTC