2

I was always using an authentication on PHP that worked perfectly. Looks like this:

function login()
{
    header('WWW-Authenticate: Basic realm="Acceso restringido."');
    header('HTTP/1.0 401 Unauthorized');
    echo "Acceso restringido.\n";
    exit;
}


if (!isset($_SERVER['PHP_AUTH_USER'])) {
    login();
} else {
    if ($_SERVER['PHP_AUTH_USER'] == 'test' && $_SERVER['PHP_AUTH_PW'] == 'test1') {
   } else {
        login();
    }
}

However, I changed hosts to ipage.com and now I get the user/pass prompt window but it never takes the user/pass assigned. It keeps on prompting for user/pass.

I read something about CGI but did not get whether this method is not usable in PHP configured as CGI. Is there any alternative?

samyb8
  • 2,560
  • 10
  • 40
  • 68
  • 1
    I think it is a serious security issue that you have the credentials right in the php-code! You should either use [bcrypt](http://en.wikipedia.org/wiki/Bcrypt) or use authentication through .htaccess. – Lars Ebert Jul 17 '13 at 15:08
  • 3
    do a `var_dump($_SERVER)` to see what you're getting in those two server vars. PHP in cgi mode only has trouble with this stuff if you're running under the IIS web server. – Marc B Jul 17 '13 at 15:13
  • @MarcB - I var dumped and the PHP_AUTH_USER and PHP_AUTH_PW don't even show as variables... – samyb8 Jul 17 '13 at 15:19
  • What's your PHP version? – RandomSeed Jul 17 '13 at 15:24
  • 1
    PHP Version 5.2.17 | and API is CGI | and http://stackoverflow.com/questions/7053306/http-auth-via-php-php-auth-user-not-set – samyb8 Jul 17 '13 at 15:26
  • Looks like these environment variables are not always available. See [this question](http://stackoverflow.com/a/12558389/1446005) and [this other one](http://stackoverflow.com/a/3570461/1446005) for some possibly relevant information. – RandomSeed Jul 17 '13 at 15:29
  • I have marked your question as duplicate, but I vote it up nonetheless because you have searched and found the answer. – RandomSeed Jul 17 '13 at 15:31
  • 1
    If you are lucky, your host allows custom `.htaccess` (assuming an Apache server). You can use it to implement your HTTP authentication. [Here is a good starting point](http://stackoverflow.com/a/4103724/1446005). – RandomSeed Jul 17 '13 at 15:35
  • Why not just run these vars as $_SESSION variables? – hendr1x Jul 17 '13 at 15:37

0 Answers0