18

HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?

Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).

Usually, a user login form will POST to the server with POST variables such as

username=peter&password=123

so what is this HTTP_AUTHORIZATION about?

nonopolarity
  • 146,324
  • 131
  • 460
  • 740

3 Answers3

33

Just so we're on the same page, a typical POST request looks something like this:

POST /some/page HTTP/1.1                            <-- request line
Host: www.example.com                               <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27                                  <-------------------/
... some other headers ...
                                                    <-- blank line
username=peter&password=123                         <-- POST data, if any

The environment variables beginning HTTP_ are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:

Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name.

The Authorization: header used in a number of HTTP authentication mechanisms; the usual flow is:

  1. browser attempts to request a page
  2. server responds with "401 Unauthorized" and a WWW-Authenticate: header containing a scheme and (sometimes) a challenge
  3. browser prompts user for credentials, then re-sends the request with an Authorization: header containing a response to the challenge

The exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.

Community
  • 1
  • 1
SimonJ
  • 21,076
  • 1
  • 35
  • 50
3

A detailed description of the HTTP Authorization header can be found in RFC2617, located at http://www.ietf.org/rfc/rfc2617.txt , section 3.2.2.

gpcz
  • 806
  • 6
  • 8
  • 1
    thanks... fortunately, it is not a 200 page document... in what way is this username and password request presented to a user (on a browser)? – nonopolarity Feb 24 '11 at 21:21
  • I'm not 100% sure, but my guess is this is the way that the old-school .htaccess-style authentication is done, where a dialog box pops up with a username/password prompt. – gpcz Feb 24 '11 at 21:25
1

It might also be worth noting that the standard Joomla! .htaccess file has the following rule in it to set the HTTP_AUTHORIZATION environment variable based on the Authorization header in the request:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]