php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26606 WWW-Authenticate always fails if register_globals=off
Submitted: 2003-12-12 11:15 UTC Modified: 2003-12-12 12:33 UTC
From: lutz dot schwarz at cgs dot de Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.3.2 OS: Win NT
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lutz dot schwarz at cgs dot de
New email:
PHP Version: OS:

 

 [2003-12-12 11:15 UTC] lutz dot schwarz at cgs dot de
Description:
------------
If registering global variables is enabled (php.ini: register_globals = on), the variables $PHP_AUTH_USER and $GLOBALS['PHP_AUTH_USER'] are implicitely set to the values the browser sent. That works fine.

In case registering global variables is disabled (php.ini: register_globals = off), neither $PHP_AUTH_USER nor $GLOBALS['PHP_AUTH_USER'] is set. This IS desired for $PHP_AUTH_USER but it seems to be wrong for $GLOBALS['PHP_AUTH_USER'].

Since I found no other way to get the username and password enterred by the user, a site can not use "WWW-Authenticate" if register_globals is off.

I use PHP compiled as Apache module on a Windows-NT4.

PHP Version:
PHP 4.3.2 (cgi-fcgi), Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
    with DBG v2.11.23, (C) 2000,2001,2002,2003, by Dmitri Dmitrienko

Apache version:
Server version: Apache/2.0.46
Server built:   Jun  2 2003 20:35:59


Reproduce code:
---------------
<?php
    if (!isset($GLOBALS['PHP_AUTH_USER']))
    {
        Header( "WWW-Authenticate: Basic realm=\"Test Authentication System\"");
        Header( "HTTP/1.0 401 Unauthorized");
        echo "You must enter a valid login ID and password to access this resource.\n";
        exit;
    }
    // never reached if "register_globals = Off" in php.ini
    echo "Hello {$GLOBALS['PHP_AUTH_USER']} !!<br>";
?>


Expected result:
----------------
Hello what_ever_i_entered_as_username !!


Actual result:
--------------
The browser repeats showing the authentication dialog until pressing cancel. Then the browser shows:
You must enter a valid login ID and password to access this resource.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-12 11:54 UTC] lutz dot schwarz at cgs dot de
The value of PHP_AUTH_USER can be found in $_SERVER['PHP_AUTH_USER'] rather than in $GLOBALS['PHP_AUTH_USER'] ...

I close the bug report.
 [2003-12-12 12:33 UTC] mgf@php.net
user error => bogus
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 26 08:01:31 2024 UTC