On Wed, 2004-01-07 at 20:06, Geoffrey Young wrote:
> Stuart Jansen wrote:
> > I'm using Apache 2.0.48, mod_perl 1.99_12, and Apache::AuthCookie to
> > create a custom authentication scheme. I've noticed that while apache
> > normally logs the $REMOTE_USER, it doesn't log it when accessing PHP
> > pages. The pages are still correctly protected. 
> 
> the way these environment variables work is that if a module (mod_php,
> mod_perl, mod_cgi) wants them visible to users they call a few core Apache
> APIs (ap_add_common_vars and ap_add_cgi_vars) to generate them in the
> subprocess_env table.  it's then further up to the individual module to make
> the contents of that table visible to the environment.  mod_cgi uses another
> core Apache call, while mod_perl does it manually.
> 
> I can see the call to ap_add_common_vars() in the php code, which is the
> core API that populates REMOTE_USER in the environment, provided r->user was
> previously set (generally by a call to get_basic_auth_pw, which
> Apache::AuthCookie does).  are other variables, such as DOCUMENT_ROOT or
> SERVER_ADMIN present?
> 
> if this were mod_perl, you would need to use PerlOptions +SetupEnv in your
> httpd.conf to make the variables visible.  I'm not php savvy - is there an
> option you're missing someplace?

That's nice, but it doesn't explain why Apache wasn't logging the user.

> > At first I thought
> > $_SERVER["REMOTE_USER"] wasn't always being populated by PHP, but it
> > looks like that is working. However, $PHP_AUTH_USER isn't getting set. I
> > suspect that Apache logging and $PHP_AUTH_USER are related issues. At
> > work, we currently use a proprietary Apache 2 authentication module that
> > successfully logs the user and populates $PHP_AUTH_USER, so I know it
> > can be done. Would it be possible to modify mod_perl and/or
> > Apache::AuthCookie to do the same?
> 
> well, you mean have Apache::AuthCookie populate PHP_AUTH_USER?  probably
> not, since it's rather PHP specific :)

I doubt the authentication solution we use at work is aware of PHP, let
alone designed for it. I really do want Apache::AuthCookie to populate
$PHP_AUTH_USER. PHP has to be getting it from an at least reasonably
standard location. The fact that it doesn't seems symptomatic of a
problem with AuthCookie.

At little experimenting indicates it is getting it from the
Authorization header. I'll leave it to you to decide if this is
appropriate behavior or not, but the fact is that PHP developers are
encouraged to use $PHP_AUTH_USER instead of REMOTE_USER. Other modules
may be designed in an equally stupid way, and greater compatibility
seems like the best choice to me.

Following the tip in the mod_perl Cookbook, I added:

---
# Set Authorization header for apps looking for it
$credentials = MIME::Base64::encode(join(':', $auth_user, ''));
$r->headers_in->set(Authorization => "Basic $credentials");
---

Just before

$r->user($auth_user)

in AuthCookie. Apache began logging the user and PHP set $PHP_AUTH_USER
in additon to $_SERVER["REMOTE_USER"].

-- 
Stuart Jansen <[EMAIL PROTECTED], AIM:StuartMJansen>

"DON'T PANIC"
   -The Pragmatic Programmer, Andrew Hunt & David Thomas
   -The Hitchhiker's Guide to the Galaxy, Douglas Adams  :wq

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to