什么是 HTTP_AUTHORIZATION 环境变量?
HTTP_AUTHORIZATION 似乎是一个服务器端环境变量,但是它可以是什么值呢?有例子吗?它是由某些 HTTP 标头设置的吗?
另外,当它要求输入用户名和密码时,它在浏览器端看起来怎么样(它是一个 HTML 表单还是一个要求输入用户名和密码的弹出框(这是模态的,所以如果不单击“确定”或“取消”,那么浏览器无法点击))。
通常,用户登录表单将使用 POST 变量 POST 到服务器,例如
username=peter&password=123
,这个 HTTP_AUTHORIZATION 是关于什么的?
HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?
Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).
Usually, a user login form will POST to the server with POST variables such as
username=peter&password=123
so what is this HTTP_AUTHORIZATION about?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
就像我们在同一页面上一样,典型的 POST 请求看起来像这样:
POST /some/page HTTP/1.1 <-- request line Host: www.example.com <-------------------\ User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers Content-Length: 27 <-------------------/ ... some other headers ... <-- blank line username=peter&password=123 <-- POST data, if any以
HTTP_开头的环境变量是 CGI 脚本 是提供动态内容的主要方式,它们向服务器端代码表明客户端提供了特定标头作为请求的一部分。来自 CGI 规范:许多 HTTP 身份验证机制中使用的
Authorization:标头;通常的流程是:WWW-Authenticate:标头,并且(有时)质询Authorization:标头的请求,其中包含对质询的响应。质询和响应的具体格式根据所使用的身份验证方案而有所不同; RFC2617(gpcz 链接到)涵盖“基本”(最常见,发送 base64 编码的“用户名:密码”)和“摘要”(包含加密哈希),以及 NTLM 是在某些 Windows 环境中出现的另一个。
Just so we're on the same page, a typical POST request looks something like this:
POST /some/page HTTP/1.1 <-- request line Host: www.example.com <-------------------\ User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers Content-Length: 27 <-------------------/ ... some other headers ... <-- blank line username=peter&password=123 <-- POST data, if anyThe environment variables beginning
HTTP_are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:The
Authorization:header used in a number of HTTP authentication mechanisms; the usual flow is:WWW-Authenticate:header containing a scheme and (sometimes) a challengeAuthorization:header containing a response to the challengeThe exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.
HTTP 授权标头的详细说明可以在 RFC2617 中找到,位于 http://www.ietf .org/rfc/rfc2617.txt,第 3.2.2 节。
A detailed description of the HTTP Authorization header can be found in RFC2617, located at http://www.ietf.org/rfc/rfc2617.txt , section 3.2.2.
还值得注意的是标准 Joomla!
.htaccess文件中包含以下规则,用于根据请求中的Authorization标头设置HTTP_AUTHORIZATION环境变量:It might also be worth noting that the standard Joomla!
.htaccessfile has the following rule in it to set theHTTP_AUTHORIZATIONenvironment variable based on theAuthorizationheader in the request: