ID: 24768
Updated by: [EMAIL PROTECTED]
Reported By: tgourrier at hotmail dot com
-Status: Open
+Status: Bogus
Bug Type: HTTP related
Operating System: All
PHP Version: 4.3.1
New Comment:
Try the script below with an .htpasswd/.htaccess protection. On my test
server unless correct credentials are specified PHP_AUTH variables are
not populated.
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your
password.</p>";
}
?>
Previous Comments:
------------------------------------------------------------------------
[2003-07-23 08:09:25] tgourrier at hotmail dot com
Description:
------------
When using the:
header('WWW-Authenticate: Basic realm="My Realm"');
mechanism, the PHP_AUTH_* variables are set and there is no way to
clear or unset these variables if the authentication fails.
This is in contrast to the way that external authentication works (with
Apache at least). If external authentication fails, the PHP_AUTH
variables are not set (or at least they are cleared).
There should be some way within PHP to clear these variables if the
authentication is not successful.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=24768&edit=1
