|
|
Posted by Ivαn Sαnchez Ortega on 07/04/07 01:10
Reporter wrote:
> 1. This is a status code not a header, right? => header('HTTP/
> 1.0 401 Unauthorized');
And how are status codes sent to the browser if not?? Next question,
please...
> 2. According to the change log in the PHP manual, starting with 4.4.2
> and 5.1.2 the header function now prevents more than one header to be
> sent at once as a protection against header injection attacks. Does
> this mean if I make multiple header calls the headers will be sent in
> multiple response messages to the browser? Is this allowed? Can a
> server send multiple response messages to one request?]
This means that you can send more than one response (headers+content) if you
are a very, very bad person. HTTP request splitting, faking headers, and
that sort of thing. PHP will prevent you from doing so, up to certain
extent, of course.
> 3. If you hit the "cancel" button on the browser user name/password
> request dialog (as alluded to in the code snippet above), what message
> does the browser send to the server.
None. It displays the first response (401/Unauthorized) that it *already*
got from the webserver. Keep in mind that HTTP auth is a challenge-response
auth method: even if you supply the username and password to the web
browser at first, it *will* make an attempt to get the webpage without
sending the pair.
Things go like this:
- Browser requests a webpage
- Webserver replies with a 401/Unauth response, along with some HTML
- Browser displays "enter username/passwd" dialog. Browser does NOT render
that HTML.
- User enters username/passwd
- Browser requests the webpage, sending the username/passwd
- Webserver replies with a 200/OK response
- Browser renders webpage.
In case the user hits the "cancel" button, that previously discarded HTML is
shown.
--
----------------------------------
IvΓ‘n SΓ‘nchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
[Back to original message]
|