1

I have the need for a simple user/pass prompt on a page in an internal network, to pass those credentials along to an api call. I spent hours yesterday troubleshooting why this simple example:

    <?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

When saved as "pw.php" on the root of my html/ dir, shows "Text to send if user hits Cancel button" with no sign of a prompt asking for username/passwd. I tested in Chrome/IE/Edge. I tested in multiple different (linux) VMs running apache 2.4; php 7.3.

I recreated, as closely as I could, this same setup at home. Same flavor of linux, same versions of apache and php. I created pw.php with the same code and immediately got a popup asking for user & password.

I verified both sides had $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] not defined before going to pw.php, at which point the home network shows both variables with the values I entered in the popup. The work network never shows "$_SERVER['PHP_AUTH_USER']" or "$_SERVER['PHP_AUTH_PW']".

Can anyone give me any ideas on what might be causing my work environment to act differently and never prompt for a password?

Both environments have a fairly new/fresh install of apache & php. All other functionality seem to be working, with complex website loading and running identically. I can't figure out what is causing this simple authentication POC from working. Thanks

Edit to add:

Using Chrome's network dev tool, I see a difference in:

Home: Status Code (200 OK)
Work: Status Code (401 Unauthorized) 

**Home Response Headers**
     Connection: Keep-Alive
     Keep-Alive: timeout=5, max=100
     (no authenticate attribute)
**Work Response Headers**
     Connection: close
     (no Keep-Alive attribute)
     "WWW-Authenticate: Basic realm="My Realm"

There's a firewall on the work side but I have a similar "other work" network with similar firewall/F5/etc and there's no issues there.

When I clear cookies/cache and reload the home network while watching the network monitor in Chrome, I see the same "401 Unauthorized" and other headers until a user/pw is entered, then it goes to "200 OK". On the work side, I never get the prompt; so with the same request headers what else could I look for?

ADyson
  • 57,178
  • 14
  • 51
  • 63
user162124
  • 23
  • 1
  • 4
  • When you're testing the work server, are there any nodes in between your browser and that server? e.g. firewalls, proxies, reverse proxies, gateways, routers, VPNs, anything like that which might strip information out of the HTTP request (or response)? – ADyson Apr 21 '22 at 15:34
  • Also have you done any debugging using your browser's network tools to verify what's being sent from the browser's point of view, and what's being received back? – ADyson Apr 21 '22 at 15:36
  • If you have useful info for us you need to [edit] your question to include it, not hide it in the comments :-) – ADyson Apr 21 '22 at 17:11
  • Silly question, but on the work one have you enabled [mod_auth_basic](https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html) (and any associated modules) in Apache? – ADyson Apr 21 '22 at 17:12
  • Can you tell I'm a relative stackoverflew noob? Yes, mod_auth_basic is present under "Loaded Modules" in both environments. I updated the original question with the other few question responses and deleted the respective comments. – user162124 Apr 21 '22 at 17:27
  • _"The work network never shows $_SERVER['PHP_AUTH_USER'] or $_SERVER['PHP_AUTH_PW']."_ - check if any of the reasons mentioned in [Why are $_SERVER["PHP_AUTH_USER"\] and $_SERVER["PHP_AUTH_PW"\] not set?](https://stackoverflow.com/q/14724127/1427878) might apply here. – CBroe Apr 22 '22 at 07:50
  • `header('HTTP/1.0 401 Unauthorized');` - might be counterproductive to respond with that, without checking whether the request was made using HTTP/1.0 to begin with. Try to get the protocol + version from `$_SERVER['SERVER_PROTOCOL']` here, or use `http_response_code()` instead. – CBroe Apr 22 '22 at 07:56
  • Nothing relevant in the linked stackflow above. I don't use PHP-CGI, my environment looks to be the same. $_SERVER['SERVER_PROTOCOL'] is HTTP/1.1 in both. Any other way to troubleshoot this difference in behavior? – user162124 Apr 25 '22 at 17:36

0 Answers0