php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29805 HTTP Authentication Issues
Submitted: 2004-08-24 03:39 UTC Modified: 2005-04-05 21:12 UTC
Votes:10
Avg. Score:3.4 ± 1.1
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: michaelw at webcentral dot com dot au Assigned: thetaphi
Status: Closed Package: iPlanet related
PHP Version: 4CVS, 5CVS (2004-12-11) OS: Solaris 9
Private report: No CVE-ID:
 [2004-08-24 03:39 UTC] michaelw at webcentral dot com dot au
Description:
------------
Hi,

PHP HTTP Authentication under Sun One Webserver 6.0 (and presumably any iPlanet variant) doesn't seem to work correctly.

The PHP_AUTH_USER and PHP_AUTH_PW variables don't seem to get set. (This is with Safe Mode disabled). 

Additionally, with Safe Mode enabled, I cannot determine the username or password entered by the user.  



Reproduce code:
---------------
<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
   header('WWW-Authenticate: Basic realm="My Realm"');
   header('HTTP/1.0 401 Unauthorized');
   echo 'Text to send if user hits Cancel button';
   exit;
  } else {
   echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
   echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>


Expected result:
----------------
Under apache, the output is:

Hello testing.

You entered 123 as your password.

(when username is testing and 123 is password)

Under SunOne, the username/password box just keeps redisplaying. 

Actual result:
--------------
Under SunOne, the username/password box just keeps redisplaying. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-24 23:51 UTC] thetaphi@php.net
Have you installed the fake authenticator "php4_ as written in the docs?

"To use PHP Authentication on a single directory, add the following: <Object ppath="d:\path\to\authenticated\dir\*">
AuthTrans fn=php4_auth_trans
</Object>"

The problem is: iPlanet SunONE does not send the password to PHP so it is not a problem of PHP. With the code from the docs you tell SunONE to pass the authentication data to the "fake" function "php4_auth_trans" that only says "auth done" and no other AuthTrans directives from obj.conf get executed. This switches of all other authentication in the server (Java, .htaccess,...) but lets PHP get the data. By limiting this to a directory you can leave the SunONE authentication for other directories intact.
 

 [2004-08-25 00:45 UTC] michaelw at webcentral dot com dot au
From obj.conf

<Object name="default">
AuthTrans fn=php4_auth_trans

<snipped>
 [2004-08-25 11:05 UTC] thetaphi@php.net
The PHP AuthTrans must be the first AuthTrans directive. I can take a look at this the next days.
 [2004-08-25 11:10 UTC] michaelw at webcentral dot com dot au
Currently, it is the ONLY AuthTrans directive.
 [2004-08-30 01:19 UTC] michaelw at webcentral dot com dot au
Any progress with this ?
 [2004-09-14 03:59 UTC] michaelw at webcentral dot com dot au
Hi,

Just wondering if you've found time to look at this ?

Regards,
Michael Ward.
 [2004-09-15 23:33 UTC] thetaphi@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

For newer servers (SunONE 6.0) leave out the php4_auth_trans directive in *.obj.conf, it works without!
 [2004-09-15 23:55 UTC] thetaphi@php.net
Sorry, you cannot take the PHP4 latest stable snapshot now, because it is frozen (release of 4.3.9) and this bug is not critical. After release of 4.3.9 this is fixed in CVS.
 [2004-09-22 00:02 UTC] thetaphi@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Snapshots with this patch are available now.
 [2004-09-22 11:23 UTC] michaelw at webcentral dot com dot au
Ok, the new CVS release works correctly if safe_mode is disabled. However, if safe_mode is enabled, there does not appear to be any way to get authentication information. 

This presents a problem for me, at least, as in my environment I need to run PHPMyAdmin (using HTTP authentication) with safe_mode turned on. 

Is there some method for obtaining authentication information whilst running under safe mode ?
 [2004-09-26 22:42 UTC] thetaphi@php.net
Two things you can do at this time, the remove of the safe_mode security check for NSAPI is under discussion:

a) Remove the "if" clause from nsapi.c: php_handle_auth_data(pblock_findval("authorization", rq->headers) TSRMLS_CC);

b) Disable Safe-Mode only for this application. With NSAPI you can do this in vserver.obj.conf:
* Create a new Style in Server Manager and assign this style to the PHPMyAdmin directory
* Change the obj.conf in that style (<Object name="bla">) and add the php4_execute-service as in the "default" object; but add a safe_mode=0 to the end of the line (this is an additional php.ini value)
 [2004-10-04 01:02 UTC] michaelw at webcentral dot com dot au
Hey,

As a workaround, I disabled the if-check, so it sets the variables regardless of whether its in safe-mode or not. Any information on whether this will remain as-is in CVS, or .. ?
 [2005-04-05 21:12 UTC] thetaphi@php.net
All SAPIs behave in this way. No need to change this.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 01:02:05 2014 UTC