Wuhtzu Posted March 5, 2007 Share Posted March 5, 2007 Hey I would like to be able to get the user name, which the visitor uses to log in with during a normal http authentication (.htaccess and .htpasswd)... this should be possible through $_SERVER['PHP_AUTH_USER'] but i can't seem to get it working. Here is what I am currently testing with (before implementing it in the real thing): index.php <?PHP echo "DIGEST: " . $_SERVER['PHP_AUTH_DIGEST']; echo "<br>"; echo "USERNAME: " . $_SERVER['PHP_AUTH_USER']; echo "<br>"; echo "PASSWORD: " . $_SERVER['PHP_AUTH_PW']; echo "<br>"; echo "TYPE : " . $_SERVER['AUTH_TYPE']; ?> .htaccess AuthName "Test" AuthType Basic AuthUserFile /some/path/authtest/.htpasswd Require user test .htpasswd test:63mF8gv.4u8AI All three files are placed in /authtest/ and just for the record this is only for test purpose, before someone starts talking about security To verify that the basic authentication works and the above code does not return any can try it here: http://wuhtzu.dk/random/authtest/ User: test Pass: test What am I doing wrong ? Quote Link to comment Share on other sites More sharing options...
gargoylemusic Posted March 6, 2007 Share Posted March 6, 2007 At first glance, I don't exactly know what it is. But try this: echo '<pre>'; print_r($_SERVER); echo '</pre>'; That will give you an array dump of all of the $_SERVER variables. You can see what's being passed, and if the PHP_AUTH_USER isn't... then we can explore other things. Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted March 6, 2007 Author Share Posted March 6, 2007 Here is a print_r($_SERVER): http://wuhtzu.dk/random/authtest/print_r.php (look at the source) but the interesting variables were already echo'ed by index.php Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted March 6, 2007 Author Share Posted March 6, 2007 no one with an idea ? Quote Link to comment Share on other sites More sharing options...
jggretton Posted March 6, 2007 Share Posted March 6, 2007 I can think of two possible problems: 1) Is php running as cgi? (You might need to ask your hosts about this) If so this type of authentication doesn't work. 2) Are you using PHP 5? There was an old bug that prevents the neccessery variables showing up in $_SERVER, this was resolved a year or two ago, but your host may not have upgraded. Hope that is helpful, James Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted March 6, 2007 Author Share Posted March 6, 2007 Thanks for your input jggretton... I actually don't know if my host is running PHP as cgi or a module under apache (my guess would be module) - is there a way for me to check it? Maybe using phpinfo()? I am running using Apache 2.0.54 with PHP 5.1.2 this indicates that the bug was fixed in 5.04: Version 5.0.1 12-Aug-2004 ...... Fixed bug #29132 ($_SERVER["PHP_AUTH_USER"] isn't defined). (Stefan) ...... Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted March 6, 2007 Author Share Posted March 6, 2007 any more suggestions? Quote Link to comment Share on other sites More sharing options...
gargoylemusic Posted March 7, 2007 Share Posted March 7, 2007 The manual might shed light (http://us3.php.net/features.http-auth): Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file. Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick for now. As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER']. Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server. Do you have safe mode enabled? At any rate, it seems like REMOTE_USER will work regardless. Quote Link to comment Share on other sites More sharing options...
redarrow Posted March 7, 2007 Share Posted March 7, 2007 Your need to use sessions ok. Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted March 7, 2007 Author Share Posted March 7, 2007 Hey again and thanks redarrow and gargoylemusic for your inputs... First of, redarrow, I know sessions are _the_ way of handling user authentication and I use that method on a few sites I have created/helped create - but it's always fun to try new stuff out and in this case I just want to protect a dir containing some private files which a http authentication is perfect for. Then why do I want to get the username? I just thought it was fun to keep track of the logins Second, gargoylemusic, I have been looking at the manual over and over again and the fact that I have safe_mode = "on" seems to seal this discussion - PHP must be keeping the variables in $_SERVER from being set because i use a external authentication :S I guess internal authentication must be if you handle the authentication with PHP and manually set the headers ect... And $_SERVER['REMOTE_USER'] worked like a charm - so I'll just use that instead Thanks everyone! Wuhtzu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.