Posted by ZeldorBlat on 07/04/07 00:52

On Jul 3, 8:01 pm, Reporter <TruckSaf...@gmail.com> wrote:
> Here is an example from the PHP Manual
>
> <?php
>
> if ((!isset($_SERVER['PHP_AUTH_USER'])) || (1==1)) {
> header('WWW-Authenticate: Basic realm="My Realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo 'Text to send if user hits Cancel button';
> exit;} else {
>
> echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
> echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</
> p>";}
>
> ?>
>
> Questions.
>
> 1. This is a status code not a header, right? => header('HTTP/
> 1.0 401 Unauthorized');

It's both. The status code (401) is sent as a special header -- which
begins with HTTP/1.0. For instance, you would send the status code
302 as a header with the content "HTTP/1.0 302 Moved Temporarily."

>
> 2. According to the change log in the PHP manual, starting with 4.4.2
> and 5.1.2 the header function now prevents more than one header to be
> sent at once as a protection against header injection attacks. Does
> this mean if I make multiple header calls the headers will be sent in
> multiple response messages to the browser? Is this allowed? Can a
> server send multiple response messages to one request?]

You typically only send one response to the browser. One request =
one response. What the manual is talking about is sending multiple
headers in a single call to the header() function. If you call the
header() function twice, you will have sent two headers as part of the
same response.

>
> 3. If you hit the "cancel" button on the browser user name/password
> request dialog (as alluded to in the code snippet above), what message
> does the browser send to the server.

I'm not entirely sure, but I know the above code works. You could try
using a packet sniffer to see what is actually sent back to the server.

[Back to original message]