0

In PHP, For the url http://usx:psx@fw.eg-03.local/pax-neo-sandbox/v1/e Where do I get the username usx and password psx parts?

Based on the url: Username and password in https url I couldn't find it in the headers. My .htaccess also has the lines

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

If this is a duplicate, please can you point me in the right direction. I was unable to find it on stackoverflow.

Also, I don't need a username and password solution. I just need to get all the url parts or a reason for why PHP (or server) drops this.

Thanks in advance!

Brian Pinto
  • 73
  • 1
  • 5
  • Why would you need to get these details in a PHP script? Basic Auth is handled directly by the webserver anyway. – ADyson Apr 11 '23 at 22:20
  • [Look here](https://www.php.net/manual/en/features.http-auth.php#70864) – Pippo Apr 11 '23 at 22:27
  • @ADyson - analyze the full information of the request received and log it. – Brian Pinto Apr 11 '23 at 22:30
  • But why would that involve logging the user's credentials? In fact logging that ought to be considered a security risk. I guess maybe knowing the username could be useful, but not the password. – ADyson Apr 11 '23 at 22:31
  • Ultimately though, you might be better with a PHP based login system. Basic auth is just that...for basic cases. – ADyson Apr 11 '23 at 22:32
  • @ADyson - This is not for an engineered solution. It is an os cli + web + api based interface developed using php and c#. I only need to know if what the user sent as a request (typed in the browser bar) is received within php. We know '# part' doesn't need to come. – Brian Pinto Apr 11 '23 at 22:48
  • @Pippo Looks like HTTP_AUTHORIZATION doesn't get set from the URL parts - it only gets set when credentials are typed in from Basic Auth – Brian Pinto Apr 11 '23 at 23:01
  • @BrianPinto you are right, I did some test and it seems that Authorization header is 'ignored' perhaps for security reason. Anyway take a look to my answer – Pippo Apr 12 '23 at 01:13

1 Answers1

1

After some tests i realized that %{HTTP:Authorization} seems to be ignored from Apache, also sending it by another application using cURL with explicit headers. Perhaps for secuity reasons.

BUT in my php $_SERVER variable I can find user and password under 'PHP_AUTH_USER' and 'PHP_AUTH_PW' keys.

Moreover, for basic auth, I was able to extract the user and password from headers using this istruction: [$user, $password] = explode (':', base64_decode(str_replace('Basic ', '', getallheaders()['Authorization']))); (in real world a bit of error management is needed)

Pippo
  • 2,173
  • 2
  • 3
  • 16
  • Thanks for this answer - Took me a while though, You must be able to see this in your server because it may be run as an 'Apache Module' but these server variables disappear when run as a CGI module (but it comes from the header and not the URL parts). Ultimately it seems that The standard of [URL parts](https://url.spec.whatwg.org/) is not followed. Even the URL spec doesn't have a TLDR and nothing definitive. Looks like this needs a wait for web standards to evolve :(. I've ignored it in the design. I have upvoted your answer though – Brian Pinto Apr 30 '23 at 02:32