如何在 PHP 中使用基本 HTTP 身份验证?

发布于 2024-10-02 07:55:11 字数 703 浏览 13 评论 0原文

我正在尝试使用 基本 HTTP 身份验证 并按照 PHP 手册页上的示例进行操作。但这对我不起作用。变量 $_SERVER['PHP_AUTH_USER'] 似乎未设置。当用户尝试登录时,系统会提示用户使用新的登录对话框。服务器正在运行 PHP 5.3.3,我已尝试使用 Google Chrome 和 Internet Explorer。

这是我使用的简单示例:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Jonas Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'User pressed Cancel';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as you password.</p>";
}
?>

出了什么问题?如何在 PHP 中使用基本 HTTP 身份验证?

I'm trying to use Basic HTTP Authentication and followed the example on the PHP manual page. But it doesn't work for me. The variable $_SERVER['PHP_AUTH_USER'] doesn't seem to be set. When a user try to log in, the user is prompted whith a new login-dialog. The server is running PHP 5.3.3 and I have tried with Google Chrome and Internet Explorer.

Here is the simple example that I used:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Jonas Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'User pressed Cancel';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as you password.</p>";
}
?>

What is wrong? How can I use Basic HTTP Authentication in PHP?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

风蛊 2024-10-09 07:55:11

试试这个::

<?php
    /*
    ** Define a couple of functions for
    ** starting and ending an HTML document
    */
    function startPage()
    {
        print("<html>\n");
        print("<head>\n");
        print("<title>Listing 24-1</title>\n");
        print("</head>\n");
        print("<body>\n");
    }

    function endPage()
    {
        print("</body>\n");
        print("</html>\n");
    }
    /*
    ** test for username/password
    */
    if( ( isset($_SERVER['PHP_AUTH_USER'] ) && ( $_SERVER['PHP_AUTH_USER'] == "leon" ) ) AND
      ( isset($_SERVER['PHP_AUTH_PW'] ) && ( $_SERVER['PHP_AUTH_PW'] == "secret" )) )
    {
        startPage();

        print("You have logged in successfully!<br>\n");

        endPage();
    }
    else
    {
        //Send headers to cause a browser to request
        //username and password from user
        header("WWW-Authenticate: " .
            "Basic realm=\"Leon's Protected Area\"");
        header("HTTP/1.0 401 Unauthorized");

        //Show failure text, which browsers usually
        //show only after several failed attempts
        print("This page is protected by HTTP " .
            "Authentication.<br>\nUse <b>leon</b> " .
            "for the username, and <b>secret</b> " .
            "for the password.<br>\n");
    }
?>

Try this::

<?php
    /*
    ** Define a couple of functions for
    ** starting and ending an HTML document
    */
    function startPage()
    {
        print("<html>\n");
        print("<head>\n");
        print("<title>Listing 24-1</title>\n");
        print("</head>\n");
        print("<body>\n");
    }

    function endPage()
    {
        print("</body>\n");
        print("</html>\n");
    }
    /*
    ** test for username/password
    */
    if( ( isset($_SERVER['PHP_AUTH_USER'] ) && ( $_SERVER['PHP_AUTH_USER'] == "leon" ) ) AND
      ( isset($_SERVER['PHP_AUTH_PW'] ) && ( $_SERVER['PHP_AUTH_PW'] == "secret" )) )
    {
        startPage();

        print("You have logged in successfully!<br>\n");

        endPage();
    }
    else
    {
        //Send headers to cause a browser to request
        //username and password from user
        header("WWW-Authenticate: " .
            "Basic realm=\"Leon's Protected Area\"");
        header("HTTP/1.0 401 Unauthorized");

        //Show failure text, which browsers usually
        //show only after several failed attempts
        print("This page is protected by HTTP " .
            "Authentication.<br>\nUse <b>leon</b> " .
            "for the username, and <b>secret</b> " .
            "for the password.<br>\n");
    }
?>
微暖i 2024-10-09 07:55:11

对于 PHP-CGI:

在 .htaccess 中添加以下内容:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

并在脚本的开头添加以下内容:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

For PHP-CGI:

in .htaccess add this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

and at the beginning of your script add this:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
以往的大感动 2024-10-09 07:55:11

PHP 是如何运行的?如果是通过Apache mod_cgi,恐怕你根本无法掌握认证信息。 Apache 不会将其传递给 CGI 应用程序,除非您使用 SECURITY_HOLE_PASS_AUTHORIZATION 标志进行编译。 (是否确实存在安全漏洞取决于您服务器上的其他用户是否比您的网站用户具有更低或更高的权限。)

如果是 IIS CGI,则必须确保仅配置“匿名”目录访问,或者 IIS将尝试介入并自行验证凭据。

echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";

HTML 注入安全漏洞(好吧,如果它有效的话)。使用htmlspecialchars()。伙计,那个 PHP 文档页面充满了高度可疑的建议和代码。

您也可以尝试查看 $_SERVER['HTTP_AUTHORIZATION'] ,尽管我怀疑这是 mod_cgi 问题,在这种情况下,这两个变量都不会出现,您将不得不诉诸基于 cookie 的登录。或者更改为采用更现代的 PHP 托管方法的主机,例如 FastCGI 或 mod_php。

How is PHP being run? If it's through Apache mod_cgi, I'm afraid you cannot get hold of the authentication information at all. Apache won't pass it to CGI apps unless you compile it with the SECURITY_HOLE_PASS_AUTHORIZATION flag. (Whether it's actually a security hole or not depends on whether other users on your server have a lower or greater privilege than your website users.)

If it's IIS CGI, you have to ensure that only ‘Anonymous’ directory access is configured, or IIS will try to step in and authenticate credentials itself.

echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";

HTML-injection security hole (well, if it worked). Use htmlspecialchars(). Man, is that PHP doc page full of highly questionable advice and code.

You can try to look at $_SERVER['HTTP_AUTHORIZATION'] as well, though I suspect it's the mod_cgi issue in which case neither variable will be present and you will have to resort to cookie-based login instead. Or change to a host with a more modern approach to PHP hosting, such as FastCGI or mod_php.

想念有你 2024-10-09 07:55:11

我认为 PHP 方法依赖于 Web 服务器上配置的基本身份验证。执行此操作的一个简单方法是将 .htaccess 文件包含在要为其启用基本身份验证的目录中。

大多数基于 UNIX 的 Web 主机允许您通过上传此文件来完成此操作。一个单独的文件(称为 .htauth)将保存允许访问站点或目录的用户登录名。

I think the PHP methods rely on Basic Authentication being configured on the Web Server. An easy way to do this is to include a .htaccess file in the directory you want to enable basic authentication for.

Most unix-based web hosts allow you to do this by just uploading this file. A separate file (call this .htauth) will hold the user logins that are allowed to access the site or directory.

悍妇囚夫 2024-10-09 07:55:11

检查您在尝试访问两个变量之前是否覆盖了变量 $_SERVER['PHP_AUTH_USER']$_SERVER['PHP_AUTH_PW']

如果上述情况并非如此,请检查您是否使用 php 作为 cgi mod。如果您使用 php 作为 cgi mod,那么在大多数情况下您将不会得到 $_SERVER['PHP_AUTH_USER']$_SERVER['PHP_AUTH_PW'] 因为通常我们不要使用选项 SECURITY_HOLE_PASS_AUTHORIZATION 编译 apache
因此,如果您想获取这两个变量,请使用选项 SECURITY_HOLE_PASS_AUTHORIZATION 重新编译 apache,或者您可以使用 .htaccess 方法。

Check if you have overrided your variable $_SERVER[‘PHP_AUTH_USER’] and$_SERVER[‘PHP_AUTH_PW’] before the place where you are trying to access the both variables.

If above is not the case then chek if you are using php as cgi mod or not. IF you are using php as cgi mod then in the most of case you will not get $_SERVER[‘PHP_AUTH_USER’] and$_SERVER[‘PHP_AUTH_PW’] because generraly we do not compile the apache with option SECURITY_HOLE_PASS_AUTHORIZATION
So if you want to get both variable then re-compile apache with option SECURITY_HOLE_PASS_AUTHORIZATION or you can use .htaccess approach.

浮生面具三千个 2024-10-09 07:55:11

如果您的 $_SERVER 变量中没有 PHP_AUTH_USERPHP_AUTH_PW
您需要按照此处所述检查PHP_AUTH_DIGEST https://www.php.net/manual/en/features.http-auth.php

检查示例#2。

If you don't have PHP_AUTH_USER and PHP_AUTH_PW in your $_SERVER variables
you need to check PHP_AUTH_DIGEST as described here: https://www.php.net/manual/en/features.http-auth.php

Check example #2.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文