ID: 24768 Updated by: [EMAIL PROTECTED] Reported By: tgourrier at hotmail dot com -Status: Open +Status: Bogus Bug Type: HTTP related Operating System: All PHP Version: 4.3.1 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php If that is your intend you should keep .htpasswd is some unaccessible, non-web directory then AUTH variable will not be populated. Usage of .htpasswd without an appropriate .htaccess is wrong. Previous Comments: ------------------------------------------------------------------------ [2003-07-23 09:04:06] tgourrier at hotmail dot com I think you have run this script in a directory which is protected with a .htaccess file. That is not the scenario I am referring to. If you run the script you provided as an unprotected file, there is no checking to see if the credentials provided are correct. It just takes whatever the user enters, prints that out, and sets the PHP_AUTH_USER and PHP_AUTH_PW fields. This is my point. In a real script, instead of just echoing out the userid and password in the else clause, you would validate it against some logic. If the provided username/password do not meet the criteria specified in your logic then at that point the authentication has failed -- but the PHP_AUTH variables are already set and there is no way to clear them. ------------------------------------------------------------------------ [2003-07-23 08:33:24] [EMAIL PROTECTED] Try the script below with an .htpasswd/.htaccess protection. On my test server unless correct credentials are specified PHP_AUTH variables are not populated. <?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); echo 'Text to send if user hits Cancel button'; exit; } else { echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>"; } ?> ------------------------------------------------------------------------ [2003-07-23 08:09:25] tgourrier at hotmail dot com Description: ------------ When using the: header('WWW-Authenticate: Basic realm="My Realm"'); mechanism, the PHP_AUTH_* variables are set and there is no way to clear or unset these variables if the authentication fails. This is in contrast to the way that external authentication works (with Apache at least). If external authentication fails, the PHP_AUTH variables are not set (or at least they are cleared). There should be some way within PHP to clear these variables if the authentication is not successful. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24768&edit=1
