php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66891 Unexpected HTTP 401 after NTLM authentication
Submitted: 2014-03-12 13:25 UTC Modified: 2014-11-06 15:13 UTC
From: frederic dot ferchaud at laposte dot net Assigned: mike (profile)
Status: Closed Package: pecl_http (PECL)
PHP Version: 5.5.10 OS: windows 7 & server 2008
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: frederic dot ferchaud at laposte dot net
New email:
PHP Version: OS:

 

 [2014-03-12 13:25 UTC] frederic dot ferchaud at laposte dot net
Description:
------------
Hello,

I'm working on an intranet secured with a NTLM authentication.

When a user click on a direct url to a document, and after the NTLM authentication, the document is sent to the client using an http\Env\Response object (php_http.dll v2.0.4).

I set the ResponseCode to 200, but the client receives a 401 code.

When I use the PHP header() function and do 'manually' what http\Env\Response should do, the client receive a HTTP/1.1 200 code.

I checked the HTTP request&response, they are exactly the same. But in the response HTTP status line differs between http\Env\Response and header() method.

Thanks.

Test script:
---------------
<?php
// NTLM authentication
...

// Method 1 : http\Env\Response
$res = new http\Env\Response;
$res->setResponseCode(200);
$res->setCacheControl('private, must-revalidate, max-age=0');
$res->setContentType($mimeType);
$res->setContentDisposition(['attachment' => ['filename' => $filename]]);
$res->setBody(new http\Message\Body(fopen($filename, 'r')));
$res->send();
exit;
...

// Method 2 : header()
header("HTTP/1.1 200 Ok");
header("Cache-Control: private, must-revalidate, max-age=0");
header("Content-type: $mime");
header("Accept-Ranges: bytes");
header("Content-Disposition: attachment; filename=\"$filename\"");
readfile($filename);
exit;
...

?>


Expected result:
----------------
HTTP/1.1 200 Ok
Date: Wed, 12 Mar 2014 11:21:19 GMT
Server: Apache/2.4.7 (Win32) PHP/5.5.8
X-Powered-By: PHP/5.5.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Pragma: no-cache
WWW-Authenticate: none
Accept-Ranges: bytes
Content-Disposition: attachment; filename="a-file.pdf"
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/pdf

7efd
%PDF-1.5
[...]

Actual result:
--------------
HTTP/1.1 401 Unauthorized
Date: Wed, 12 Mar 2014 11:20:55 GMT
Server: Apache/2.4.7 (Win32) PHP/5.5.8
X-Powered-By: PHP/5.5.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Pragma: no-cache
WWW-Authenticate: none
Accept-Ranges: bytes
Content-Disposition: attachment; filename="a-file.pdf"
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/pdf

7efd
%PDF-1.5
[...]

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-12 13:27 UTC] frederic dot ferchaud at laposte dot net
-Summary: Unexpected HTTP 404 after NTLM authentication +Summary: Unexpected HTTP 401 after NTLM authentication
 [2014-03-12 13:27 UTC] frederic dot ferchaud at laposte dot net
.
 [2014-11-06 14:45 UTC] mike@php.net
-Status: Open +Status: Feedback
 [2014-11-06 14:45 UTC] mike@php.net
Which SAPI are you using?
 [2014-11-06 15:12 UTC] mike@php.net
If you set a "WWW-Authenticate" header (probably in your NTLM code), PHP automatically issues a 401. A payload of "none" does not carry any specific significance AFAIK.

http\Env\Response slurps any set headers and re-sends it after sending the status code, so that PHP might be resetting the status code to 401 because it sees again an WWW-Authenticate header.
 [2014-11-06 15:13 UTC] mike@php.net
-Status: Feedback +Status: Analyzed -Assigned To: +Assigned To: mike
 [2014-11-06 15:24 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=pecl/http/pecl_http.git;a=commit;h=5dfb7f296be471c20c21b3e39c00412e81706d78
Log: Fixed bug #66891 (Unexpected HTTP 401 after NTLM authentication)
 [2014-11-06 15:24 UTC] mike@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Dec 07 03:05:52 2022 UTC