什么是 HTTP_AUTHORIZATION 环境变量?

发布于 2024-10-19 00:43:38 字数 344 浏览 9 评论 0原文

HTTP_AUTHORIZATION 似乎是一个服务器端环境变量,但是它可以是什么值呢?有例子吗?它是由某些 HTTP 标头设置的吗?

另外,当它要求输入用户名和密码时,它在浏览器端看起来怎么样(它是一个 HTML 表单还是一个要求输入用户名和密码的弹出框(这是模态的,所以如果不单击“确定”或“取消”,那么浏览器无法点击))。

通常,用户登录表单将使用 POST 变量 POST 到服务器,例如

username=peter&password=123

,这个 HTTP_AUTHORIZATION 是关于什么的?

HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?

Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).

Usually, a user login form will POST to the server with POST variables such as

username=peter&password=123

so what is this HTTP_AUTHORIZATION about?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

七颜 2024-10-26 00:43:38

就像我们在同一页面上一样,典型的 POST 请求看起来像这样:

POST /some/page HTTP/1.1                            <-- request line
Host: www.example.com                               <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27                                  <-------------------/
... some other headers ...
                                                    <-- blank line
username=peter&password=123                         <-- POST data, if any

HTTP_ 开头的环境变量是 CGI 脚本 是提供动态内容的主要方式,它们向服务器端代码表明客户端提供了特定标头作为请求的一部分。来自 CGI 规范

如果使用的协议是 HTTP,则名称以“HTTP_”开头的元变量包含从客户端请求标头字段读取的值。 HTTP 标头字段名称转换为大写,将所有出现的“-”替换为“_”,并在前面添加“HTTP_”给出元变量名称。

许多 HTTP 身份验证机制中使用的 Authorization: 标头;通常的流程是:

  1. 浏览器尝试请求页面
  2. 服务器响应“401 Unauthorized”和包含方案的 WWW-Authenticate: 标头,并且(有时)质询
  3. 浏览器提示用户输入凭据,然后重新 -发送带有 Authorization: 标头的请求,其中包含对质询的响应。

质询和响应的具体格式根据所使用的身份验证方案而有所不同; RFC2617(gpcz 链接到)涵盖“基本”(最常见,发送 base64 编码的“用户名:密码”)和“摘要”(包含加密哈希),以及 NTLM 是在某些 Windows 环境中出现的另一个。

Just so we're on the same page, a typical POST request looks something like this:

POST /some/page HTTP/1.1                            <-- request line
Host: www.example.com                               <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27                                  <-------------------/
... some other headers ...
                                                    <-- blank line
username=peter&password=123                         <-- POST data, if any

The environment variables beginning HTTP_ are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:

Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name.

The Authorization: header used in a number of HTTP authentication mechanisms; the usual flow is:

  1. browser attempts to request a page
  2. server responds with "401 Unauthorized" and a WWW-Authenticate: header containing a scheme and (sometimes) a challenge
  3. browser prompts user for credentials, then re-sends the request with an Authorization: header containing a response to the challenge

The exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.

魂牵梦绕锁你心扉 2024-10-26 00:43:38

HTTP 授权标头的详细说明可以在 RFC2617 中找到,位于 http://www.ietf .org/rfc/rfc2617.txt,第 3.2.2 节。

A detailed description of the HTTP Authorization header can be found in RFC2617, located at http://www.ietf.org/rfc/rfc2617.txt , section 3.2.2.

灯角 2024-10-26 00:43:38

还值得注意的是标准 Joomla! .htaccess 文件中包含以下规则,用于根据请求中的 Authorization 标头设置 HTTP_AUTHORIZATION 环境变量:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

It might also be worth noting that the standard Joomla! .htaccess file has the following rule in it to set the HTTP_AUTHORIZATION environment variable based on the Authorization header in the request:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文