Questions about HTTP headers sent with PHP in HTTP authentication

Re: Questions about HTTP headers sent with PHP in HTTP authentication

On Jul 3, 8:01 pm, Reporter <TruckSaf...@gm ail.comwrote:It's both. The status code (401) is sent as a special header -- which
begins with HTTP/1.0. For instance, you would send the status code
302 as a header with the content "HTTP/1.0 302 Moved Temporarily."
You typically only send one response to the browser. One request =
one response. What the manual is talking about is sending multiple
headers in a single call to the header() function. If you call the
header() function twice, you will have sent two headers as part of the
same response.
I'm not entirely sure, but I know the above code works. You could try
using a packet sniffer to see what is actually sent back to the server.

Re: Questions about HTTP headers sent with PHP in HTTP authentication

Reporter wrote:
And how are status codes sent to the browser if not?? Next question,
please...
This means that you can send more than one response (headers+conten t) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.

Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.

In case the user hits the "cancel" button, that previously discarded HTML is
shown.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.

Re: Questions about HTTP headers sent with PHP in HTTP authentication

On Jul 3, 7:10 pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.orgwrote:OK those are great answers. Thank you very much.

Suppose I create this php file:

<?php

if ((!isset($_SERV ER['PHP_AUTH_USER'])) || (1==1)) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm1"');
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm2"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
p>";
}
?>


Does that cause one or three response headers to be sent back to the
browers?

I tried a browser simulator at http://www.wannabrowser.com/index.php
and it logged the following:

=============== =============== =============== =============== =============== ====
HTTP/1.1 401
Date: Wed, 04 Jul 2007 01:18:37 GMT
Server: Apache
WWW-Authenticate: Basic realm="My Realm2"
Transfer-Encoding: chunked
Content-Type: text/html

Text to send if user hits Cancel button
=============== =============== =============== =============== =============== ====

This seems to indicate PHP sent only one response message with only
the third instance of the WWW-Authenticate header, but I am not sure
how accurately it is listing everything.

Where can I get a sniffer?

Thanks.