0

I have the following code in PHP,

<?php
ob_start();
$valid_passwords = array ("matrixUlt" => "$ecurEh1FIVE");
$valid_users = array_keys($valid_passwords);
$user = $pass = null;
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
    $user = $_SERVER['PHP_AUTH_USER'];
    $pass = $_SERVER['PHP_AUTH_PW'];
}
$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
if(!$validated)
{
header('WWW-Authenticate: Basic realm="You need to be authenticated to access the resource!"');
header('HTTP/1.0 401 Unauthorized');
exit("Not authorized");
echo ob_get_clean();
}

This works correctly in localhost when this [("matrixUlt" => "$ecurEh1FIVE"] username:password is given. But keeps showing auth dialog in LIVE server / production enviroment. Any ideas why this is not working?

webblover
  • 1,196
  • 2
  • 12
  • 30
  • What do you think happens when you put a `$` inside of double-quotes for variables? Try `('matrixUlt' => '$ecurEh1FIVE')` instead. – sjagr Feb 06 '15 at 15:51
  • what is the difference between single and double quotes here in PHP array? It works in local and so should it work in live! I think the problem is something else. – webblover Feb 06 '15 at 15:53
  • 1
    If you put a variable (so something that starts with $ for PHP) inside of double-quotes, PHP will try to put the content of the variable in there. Use single quotes if `$ecurEh1FIVE` is text and not a variable. – Drown Feb 06 '15 at 16:05
  • 1
    @Drown - Or better yet, *don't store the plaintext password*. Consider using [`password_hash()`](http://php.net/manual/en/function.password-hash.php) instead. – Mr. Llama Feb 06 '15 at 16:07
  • I have updated username:password as => ('matrixult' => 'securehifive'). It does not work either way. One more question here: If I am going to use **$_SERVER['REMOTE_USER']** instead of **$_SERVER['PHP_AUTH_USER']**, what will be the server variable for password? – webblover Feb 06 '15 at 16:08
  • @Mr.Llama , thanks very much. I will hash the password. Good tips. – webblover Feb 06 '15 at 16:09
  • @webblover - Two things: consider doing a `print_r($_SERVER)` for debugging purposes to see what PHP is seeing. Secondly, check the individual values of `in_array($user, $valid_users)` and `$pass == $valid_passwords[$user]` to see why `$validated` is false. – Mr. Llama Feb 06 '15 at 16:16
  • @Mr.Llama I have already tried var_dump and echo. Nothing works here as it's just showing authentication dialog box. I even used **exit** & die functions; nothing helped me to debug it in production server. – webblover Feb 06 '15 at 16:20
  • Are you sure that in production, the user/pwd has been set up as valid with the web server for basic auth? It sounds like in DEV you have defined the 'matrixult' user/password, but in production you have not. That would cause the re-prompt to happen continuously. (If this is Apache, for example, you'd need to use htpasswd to set up the 'matrixult' user on the PROD server password file.) – Matt Runion Feb 06 '15 at 16:28
  • @mrunion Yes, I am using Apache web server but this **does not require htpasswd file** since we store the username:password data in the PHP file itself. Please see this example taken from **php.net** [**Http Authentication**](http://php.net/manual/en/features.http-auth.php#73386) – webblover Feb 06 '15 at 16:32
  • @webblover - You did put the `print_r` *before* the `ob_start`, right? – Mr. Llama Feb 06 '15 at 16:37
  • 1
    @webblover. Are you sure that PROD is set up the same as DEV? There are some settings that can cause the PHP_AUTH variables not to be set: (from: http://php.net/manual/en/features.http-auth.php) In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER']. – Matt Runion Feb 06 '15 at 16:41

2 Answers2

1

Sorry for the whole mess & confusion, I am running CGI/FastCGI in production. So, it's not possible to use HTTP AUTHENTICATION in PHP running this FastCGI

This StackOverflow answer gave me the hint https://stackoverflow.com/a/7053320/1786360 ; I didn't notice this thing in php manual because it is missing there.

Community
  • 1
  • 1
webblover
  • 1,196
  • 2
  • 12
  • 30
  • So, what is the solution for users running the **script in CGI/FastCGI** server API like me? I want Http Authentication here. Anybody have any suggestions or ideas to help me out? – webblover Feb 06 '15 at 16:42
1

check your server set PHP_AUTH_USER and PHP_AUTH_PW or not if not then dialog will keep asking for it to solve this you need to add below code in your .htaccess

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

Hope it will solve your issue.

Vishal Patidar
  • 87
  • 1
  • 3