http authentication with safe mode enabled?!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi to you all.

I've been pulling my hair out over this issue and I really hope YOU can
help me. A part of the website that I'm having the problems with should
be password protected (nothing much, just to have a slight notion of it
not being publicly available, so no SSL or other Stuff) so I wrote this
function based on an example from the php manual which does just that.

Problem is that on my ISPs server safe_mode is enabled and so as it says
in the manual:

| As of PHP 4.3.0, in order to prevent someone from writing a script
| which reveals the password for a page that was authenticated through
| a traditional external mechanism, the PHP_AUTH variables will not be
| set if external authentication is enabled for that particular page
| and safe mode is enabled. Regardless, REMOTE_USER can be used to
| identify the externally-authenticated user. So, you can use
| $_SERVER['REMOTE_USER'].

My code looks like this:

function auth($file) {
	$username = $_SERVER['PHP_AUTH_USER'];
	$password = $_SERVER['PHP_AUTH_PW'];
	$http_401 = './auth/unauthorized.html';
	$realm = 'Intern';
	if (!isset($username) || !isset($password)) {
		header("WWW-Authenticate: Basic realm=\"$realm\"");
		header('HTTP/1.0 401 Unauthorized');
		include $http_401;
	} else {
			if (($username != 'XXXXXXX') && (crypt($password, 'XX') !=
'XXXXXXXXXXXXX')) {
				include $http_401;
			} else {
				include $file;
		}
~  }
}

Now as you can see I'm also checking wether there was no password
entered in contrast to the example from the manual. Of course I could
leave that part out and set

$username = $_SERVER['REMOTE_USER'];

But how the hell am I supposed to check for a correct password if
$_SERVER['PHP_AUTH_PW'] is not set? If safe mode is disabled everything
works just fine (checked on my on box with apache 1.3), so in theory
it's working.

Please help me guys I'd be grateful for any help provided.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCPXCen0kyIx7rF68RAmq5AJsHC5HIm4lvnHp3gbOVVR0NcArTkwCgj7y5
8cU2qnxDeeWaDDIeFElroQk=
=F0Wq
-----END PGP SIGNATURE-----

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux