|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29805 HTTP Authentication Issues
Submitted: 2004-08-24 03:39 UTC Modified: 2005-04-05 21:12 UTC
Avg. Score:3.4 ± 1.1
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: michaelw at webcentral dot com dot au Assigned: thetaphi
Status: Closed Package: iPlanet related
PHP Version: 4CVS, 5CVS (2004-12-11) OS: Solaris 9
Private report: No CVE-ID:
 [2004-08-24 03:39 UTC] michaelw at webcentral dot com dot au

PHP HTTP Authentication under Sun One Webserver 6.0 (and presumably any iPlanet variant) doesn't seem to work correctly.

The PHP_AUTH_USER and PHP_AUTH_PW variables don't seem to get set. (This is with Safe Mode disabled). 

Additionally, with Safe Mode enabled, I cannot determine the username or password entered by the user.  

Reproduce code:
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
   header('WWW-Authenticate: Basic realm="My Realm"');
   header('HTTP/1.0 401 Unauthorized');
   echo 'Text to send if user hits Cancel button';
  } else {
   echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
   echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";

Expected result:
Under apache, the output is:

Hello testing.

You entered 123 as your password.

(when username is testing and 123 is password)

Under SunOne, the username/password box just keeps redisplaying. 

Actual result:
Under SunOne, the username/password box just keeps redisplaying. 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-24 23:51 UTC]
Have you installed the fake authenticator "php4_ as written in the docs?

"To use PHP Authentication on a single directory, add the following: <Object ppath="d:\path\to\authenticated\dir\*">
AuthTrans fn=php4_auth_trans

The problem is: iPlanet SunONE does not send the password to PHP so it is not a problem of PHP. With the code from the docs you tell SunONE to pass the authentication data to the "fake" function "php4_auth_trans" that only says "auth done" and no other AuthTrans directives from obj.conf get executed. This switches of all other authentication in the server (Java, .htaccess,...) but lets PHP get the data. By limiting this to a directory you can leave the SunONE authentication for other directories intact.

 [2004-08-25 00:45 UTC] michaelw at webcentral dot com dot au
From obj.conf

<Object name="default">
AuthTrans fn=php4_auth_trans

 [2004-08-25 11:05 UTC]
The PHP AuthTrans must be the first AuthTrans directive. I can take a look at this the next days.
 [2004-08-25 11:10 UTC] michaelw at webcentral dot com dot au
Currently, it is the ONLY AuthTrans directive.
 [2004-08-30 01:19 UTC] michaelw at webcentral dot com dot au
Any progress with this ?
 [2004-09-14 03:59 UTC] michaelw at webcentral dot com dot au

Just wondering if you've found time to look at this ?

Michael Ward.
 [2004-09-15 23:33 UTC]
Please try using this CVS snapshot:
For Windows:

For newer servers (SunONE 6.0) leave out the php4_auth_trans directive in *.obj.conf, it works without!
 [2004-09-15 23:55 UTC]
Sorry, you cannot take the PHP4 latest stable snapshot now, because it is frozen (release of 4.3.9) and this bug is not critical. After release of 4.3.9 this is fixed in CVS.
 [2004-09-22 00:02 UTC]
Please try using this CVS snapshot:
For Windows:

Snapshots with this patch are available now.
 [2004-09-22 11:23 UTC] michaelw at webcentral dot com dot au
Ok, the new CVS release works correctly if safe_mode is disabled. However, if safe_mode is enabled, there does not appear to be any way to get authentication information. 

This presents a problem for me, at least, as in my environment I need to run PHPMyAdmin (using HTTP authentication) with safe_mode turned on. 

Is there some method for obtaining authentication information whilst running under safe mode ?
 [2004-09-26 22:42 UTC]
Two things you can do at this time, the remove of the safe_mode security check for NSAPI is under discussion:

a) Remove the "if" clause from nsapi.c: php_handle_auth_data(pblock_findval("authorization", rq->headers) TSRMLS_CC);

b) Disable Safe-Mode only for this application. With NSAPI you can do this in vserver.obj.conf:
* Create a new Style in Server Manager and assign this style to the PHPMyAdmin directory
* Change the obj.conf in that style (<Object name="bla">) and add the php4_execute-service as in the "default" object; but add a safe_mode=0 to the end of the line (this is an additional php.ini value)
 [2004-10-04 01:02 UTC] michaelw at webcentral dot com dot au

As a workaround, I disabled the if-check, so it sets the variables regardless of whether its in safe-mode or not. Any information on whether this will remain as-is in CVS, or .. ?
 [2005-04-05 21:12 UTC]
All SAPIs behave in this way. No need to change this.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Oct 08 20:01:29 2015 UTC