|
|
Posted by C. (http://symcbean.blogspot.com/) on 12/24/07 11:04
On 21 Dec, 19:58, yawnmoth <terra1...@yahoo.com> wrote:
> When the server sends out a WWW-Authenticate header combined with a
> 401 response code, you get prompted for a username / password.
>
> On some servers, this username and password are then saved in
> $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. On others,
> however, they aren't. So why, on these servers, isn't the value saved
> in $_SERVER['HTTP_AUTHORIZE']? The authorize header in the HTTP
> response is the header that contains the info that, anyway.
>
> eg. Authorization: Basic YXNkZjphc2Rm
>
> ...which base64_decode()'s to 'asdf:asdf'.
>
> It seems that most any header in the HTTP request is added to $_SERVER
> via HTTP_* (even made up ones), so why is Authorize different?
Because HTTP only defines how the webserver and browser negotiate
authentication - not what gets passed via CGI/other API.
(BTW you should never use BASIC authentication over a non-SSL
connection - use digest instead - but this still won't protect against
MITM attacks)
C.
[Back to original message]
|