#24768 [Bgs->Opn]: No way to clear PHP_AUTH_* variables if authorization fails

Wed, 23 Jul 2003 07:02:27 -0700 

 ID:               24768
 User updated by:  tgourrier at hotmail dot com
 Reported By:      tgourrier at hotmail dot com
-Status:           Bogus
+Status:           Open
 Bug Type:         HTTP related
 Operating System: All
 PHP Version:      4.3.1
 New Comment:

I think you have run this script in a directory which is protected with
a .htaccess file. That is not the scenario I am referring to. If you
run the script you provided as an unprotected file, there is no
checking to see if the credentials provided are correct. It just takes
whatever the user enters, prints that out, and sets the PHP_AUTH_USER
and PHP_AUTH_PW fields.

This is my point. In a real script, instead of just echoing out the
userid and password in the else clause, you would validate it against
some logic. If the provided username/password do not meet the criteria
specified in your logic then at that point the authentication has
failed -- but the PHP_AUTH variables are already set and there is no
way to clear them.


Previous Comments:
------------------------------------------------------------------------

[2003-07-23 08:33:24] [EMAIL PROTECTED]

Try the script below with an .htpasswd/.htaccess protection. On my test
server unless correct credentials are specified PHP_AUTH variables are
not populated.

<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your
password.</p>";
  }
?>

------------------------------------------------------------------------

[2003-07-23 08:09:25] tgourrier at hotmail dot com

Description:
------------
When using the:
header('WWW-Authenticate: Basic realm="My Realm"');
mechanism, the PHP_AUTH_* variables are set and there is no way to
clear or unset these variables if the authentication fails.

This is in contrast to the way that external authentication works (with
Apache at least). If external authentication fails, the PHP_AUTH
variables are not set (or at least they are cleared).

There should be some way within PHP to clear these variables if the
authentication is not successful.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=24768&edit=1

Reply via email to