Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
When the server sends out a WWW-Authenticate header combined with a
401 response code, you get prompted for a username / password.

On some servers, this username and password are then saved in
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].  On others,
however, they aren't.  So why, on these servers, isn't the value saved
in $_SERVER['HTTP_AUTHORIZE']?  The authorize header in the HTTP
response is the header that contains the info that, anyway.

eg. Authorization: Basic YXNkZjphc2Rm

...which base64_decode()'s to 'asdf:asdf'.

It seems that most any header in the HTTP request is added to $_SERVER
via HTTP_* (even made up ones), so why is Authorize different?


Quoted text here. Click to load it

Because HTTP only defines how the webserver and browser negotiate
authentication - not what gets passed via CGI/other API.

(BTW you should never use BASIC authentication over a non-SSL
connection - use digest instead - but this still won't protect against
MITM attacks)


Site Timeline