Forum Moderators: phranque
Now I put this page on the real web server, and I get the same authentication dialog box. I enter the correct login name and password, but after clicking OK in the dialog box, the same dialog box with the same realm appears again. I'm not able to see that page.
What is the difference between the local Apache server on my computer and the real Apache server? Is the Apache server causing the problem?
If you want to help, please realize that this is the first time that I am putting a page with HTTP Authentication on the net. So it might be that I overlook something very simple.
The code in my web page is:
<?php
// Define a function to insert an entry into the database
function insert_db($day, $month, $year, $description)
{
Etc.
}
// Define a function to delete an entry from the database
function delete_db($act_key)
{
Etc.
}
require_once('db_login.php');
if (!isset($_SERVER['PHP_AUTH_USER']) ¦¦ !isset($_SERVER['PHP_AUTH_PW'])) {
header('WWW-Authenticate: Basic realm="Admin Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Without username and password you do not have access to this page!';
exit;
}
$web_username = htmlentities($_SERVER['PHP_AUTH_USER']);
$web_password = htmlentities($_SERVER['PHP_AUTH_PW']);
Etc.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
Etc.
Any hint how to look for the problem is welcome.
Greetings,
SummerRain
Test the database - check whether it is working.
Debug by printing out the actual values of username and password as found from the $_SERVER array.
Thank you for your help.
First of all, I've reproduced my problem with a very simple PHP script, as presented as Example #1 on:
[php.net...]
The page is currently on line and can be viewed here:
[cendep.org...]
I understand that things should work as follows:
1. I request the page through my browser
2. The server sees that $_SERVER['PHP_AUTH_USER'] is not set, the if-statement is true, and the "header" statements are being executed, which gives me the dialog box in which I can fill in the Username and the Password.
3. I fill in the Username and the Password and I press OK
4. The browser requests the same page again, but adds extra authentication information, being the Username and the Password that I provided.
5. Now $_SERVER['PHP_AUTH_USER'] is set, and the code will execute through the else clause.
This does not happen. The if-statement is always evaluated as TRUE.
The help that you proposed:
A. Set errors to visible:
=========================
I do not know exactly where to put this code. I read that I'm not allowed to do any output before the "header" statements, otherwise they won't work any more. I have tried the following, but it did not yield any different behaviour or output:
<?php
ini_set('display_errors','on');
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
B. Check the database:
======================
On my real page I can see that the database that I'm using is indeed working, but as far as I understand this problem, HTTP authentication has nothing to do with any database. At least not the authentication on the level of the above example. This example should work as soon as the Username is filled in. Or do I miss some knowledge?
C. Print out the actual values:
===============================
The example prints out the values, when it recognises that values are provided. Unfortunately it does not get to that point.
Is there any tool with which I can monitor the HTTP traffic, so that I can check whether the authorisation information from step (4.) is indeed present?
Thanks in advance,
SummerRain
Connect to 66.96.145.*** on port 80 ... ok
GET /test.php HTTP/1.1[CRLF]
Host: www.cendep.org[CRLF]
Connection: close[CRLF]
User-Agent: Web-sniffer/1.0.29 (+http://web-sniffer.net/)[CRLF]
Accept-Encoding: gzip[CRLF]
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7[CRLF]
Cache-Control: no[CRLF]
Accept-Language: de,en;q=0.7,en-us;q=0.3[CRLF]
Referer: http://web-sniffer.net/[CRLF]
[CRLF]
The server answers with the following:
HTTP Status Code: HTTP/1.1 401 Unauthorized
The dialog asking for username and password is shown. Then I fill in the username George and the password Egroeg and resend the page request. Indeed I can see that some authentication information is being sent:
Connect to 66.96.145.*** on port 80 ... ok
GET /test.php HTTP/1.1[CRLF]
Host: www.cendep.org[CRLF]
Connection: close[CRLF]
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7[CRLF]
Cache-Control: no[CRLF]
Authorization: Basic R2VvcmdlOkVncm9lZw==[CRLF]
Accept-Language: de,en;q=0.7,en-us;q=0.3[CRLF]
Referer: http://web-sniffer.net/[CRLF]
[CRLF]
If I decode the authorization string, using:
echo 'Decoding gives: '.base64_decode('R2VvcmdlOkVncm9lZw=='); I indeed find back the colon separated username and password:
Decoding gives: George:Egroeg
This is the way it should be. Only the response from the server (another
HTTP Status Code: HTTP/1.1 401 Unauthorized) is not what I expect. I expect the regular page contents (the else clause in the PHP script).
I contacted the help desk of the company where I host the website, but they said that they don't give programming support.
Does anybody have an idea how to proceed?
[edited by: jdMorgan at 1:34 pm (utc) on July 24, 2009]
[edit reason] De-linked URLs, obscured IP address. [/edit]
