the header 'WWW-Authenticate'

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • kurtk@pobox.com
    #1

    the header 'WWW-Authenticate'

    I had a question about the use of the HTTP header 'WWW-Authenticate'
    in PHP scripts. For example, the script below sends the header 'WWW-
    Authenticate: Basic Realm="Secret Stash"', followed by the header
    'HTTP/1.0 401 unauthorized', to force the web browser to display a
    username/password dialog. The script then calls exit().

    I don't understand how the script gets re-invoked (after the username
    and password have been supplied in the dialog box and user has clicked
    OK)
    because the script called exit() after issuing the two header() calls.

    I understand that once the username and password have been supplied
    that $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] set.
    But how does the server know to re-invoke the same script a second
    time? After all the script just did an exit() after sending the
    headers.

    <?php
    // Preset authentication status to false.
    $authorized = FALSE;

    if (isset($_SERVER['PHP_AUTH_USER']) &&
    isset($_SERVER['PHP_AUTH_PW'])) {

    // Read the authentication file into an array
    $authFile = file("./authenticationF ile.txt");

    // Cycle through each line in file, searching for
    authentication match.
    foreach ($authFile as $login) {

    list($username, $password) = explode(":", $login);

    // Remove the newline from the password
    $password = trim($password) ;

    if ($username == $_SERVER['PHP_AUTH_USER'] &&
    $password == md5($_SERVER['PHP_AUTH_PW'])) {

    $authorized = TRUE;
    break;
    }
    }
    }

    // If not authorized, display authentication prompt or 401 error
    if (! $authorized) {

    header('WWW-Authenticate: Basic Realm="Secret Stash"');
    header('HTTP/1.0 401 Unauthorized');
    print('You must provide the proper credentials! Buster!!!');
    exit;
    }
    // restricted material goes here...
    ?>

    Tags: None
    • Willem Bogaerts
      #2
      Re: the header 'WWW-Authenticate'

      kurtk@pobox.com wrote:
      I had a question about the use of the HTTP header 'WWW-Authenticate'
      in PHP scripts. For example, the script below sends the header 'WWW-
      Authenticate: Basic Realm="Secret Stash"', followed by the header
      'HTTP/1.0 401 unauthorized', to force the web browser to display a
      username/password dialog. The script then calls exit().
      >
      I don't understand how the script gets re-invoked (after the username
      and password have been supplied in the dialog box and user has clicked
      OK)
      because the script called exit() after issuing the two header() calls.
      <snipped example>

      Your script first checks if a username and a password are given and
      exits only if that is not the case, sending a request header for
      authentication.

      The client asks for the page (without the password and username being
      sent), gets the request header and then displays a login dialog.
      When the user has filled in the username and password, the page is
      requested again, but now with credentials. So the browser just requests
      the same page again with different headers.

      Best regards,
      --
      Willem Bogaerts

      Application smith
      Kratz B.V.
      KRATZ – Business Solutions
      http://www.kratz.nl/

        Comment

        • kurtk@pobox.com
          #3
          Re: the header 'WWW-Authenticate'

          When the user has filled in the username and password, the page is
          requested again, but now with credentials. So the browser just requests
          the same page again with different headers.
          Thanks Willem for the reply. While I did understand the logic of the
          script, I wasn't familiar with was the fact that the http server
          remembers the script that issued the
          header('WWW-Authenticate: Basic Realm="Secret Stash"');
          header('HTTP/1.0 401 Unauthorized');
          and re-invokes. So it is the http server that "remembers" and then re-
          invokes the same script that issued the 'wwww-Authenticate'.

            Comment

            • Lars Eighner
              #4
              Re: the header 'WWW-Authenticate'

              In our last episode,
              <20a63c50-4744-423f-bde2-e4b422dbf880@d1 g2000hsg.google groups.com>,
              the lovely and talented kurtk@pobox.com
              broadcast on comp.lang.php:
              >When the user has filled in the username and password, the page is
              >requested again, but now with credentials. So the browser just requests
              >the same page again with different headers.
              Thanks Willem for the reply. While I did understand the logic of the
              script, I wasn't familiar with was the fact that the http server
              remembers the script that issued the
              header('WWW-Authenticate: Basic Realm="Secret Stash"');
              header('HTTP/1.0 401 Unauthorized');
              and re-invokes. So it is the http server that "remembers" and then re-
              invokes the same script that issued the 'wwww-Authenticate'.
              Errr...no. It's the browser. Try reading the response again.

              --
              Lars Eighner <http://larseighner.com/usenet@larseigh ner.com
              I have not seen as far as others because giants were standing on my shoulders.

                Comment

                Previous template Next
                Working...