PHP 的基本身份验证产生无限循环
由于某种原因,我无法在我的服务器上使用 PHP 进行基本身份验证。我正在使用手册页中的确切代码:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
但是,当我运行它时,我永远无法超越提示。
如果我将相同的代码放在其他服务器上,它就可以正常工作。
有谁知道这可能是什么原因造成的?两台服务器都是 WAMP 堆栈,并且 Apache 启用了 auth_basic_module。 PHP.ini 文件实际上也相同。
我浏览了标头,输入用户名/密码后,会发送“授权:基本 XXXXXX”标头。
For some reason I can't get Basic Authentication to work using PHP on my server. I am using the exact code from the manual page:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
However, when I run it, I can never get beyond the prompt.
If I put this same code on my other server, it works fine.
Does anyone know what could be causing this? Both servers are WAMP stacks and Apache has the auth_basic_module enabled. The PHP.ini files are practically identical as well.
I glanced at the headers and after I enter my username/password, there is the "Authorization: Basic XXXXXX" header being sent.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这取决于所使用的 PHP 接口。环境变量 PHP_AUTH_USER 仅用于 mod_php 并且 Apache 提供了帮助。
如果您从脚本初始化授权,则必须查找
HTTP_AUTHORIZATION标头,并自行解码和拆分它。看看这个评论: http://www.php.net/ Manual/en/features.http-auth.php#94349对于 FastCGI 设置或 suexec 调用,您甚至可能在环境变量中没有该标头。作为安全预防措施,它被过滤掉。常见的解决方法是使用 .htaccess 规则重写标头:
因此它可以混合大小写,如
$_SERVER["HTTP_Authorization"]。This depends on the used PHP interface. The environment variable
PHP_AUTH_USERis only used for mod_php and if Apache helped.If you initialize the authorization from the script, then you have to look for the
HTTP_AUTHORIZATIONheader, and decode and split it up yourself. Look at this comment: http://www.php.net/manual/en/features.http-auth.php#94349For FastCGI setups or suexec invokations you might not even have that header present in the environment variables. It's filtered out as security precaution. The common workaround is to rewrite the header using a .htaccess rule:
Thus it becomes available with mixed-case as
$_SERVER["HTTP_Authorization"].