features.http-auth.html

来自「php的帮助文档,涉及到PHP的案例和基本语法,以及实际应用内容」· HTML 代码 · 共 195 行 · 第 1/2 页

   seem very picky about the order of the headers.  Sending the
   <em class="emphasis">WWW-Authenticate</em> header before the
   <i>HTTP/1.0 401</i> header seems to do the trick
   for now.
  </p>

  <p class="simpara">
   As of PHP 4.3.0, in order to prevent someone from writing a script which
   reveals the password for a page that was authenticated through a
   traditional external mechanism, the PHP_AUTH variables will not be 
   set if external authentication is enabled for that particular
   page and <a href="features.safe-mode.html#ini.safe-mode" class="link">safe mode</a> is enabled.  Regardless, 
   <var class="varname">REMOTE_USER</var> can be used 
   to identify the externally-authenticated user.  So, you can use  
   <var class="varname"><a href="reserved.variables.server.html" class="classname">$_SERVER['REMOTE_USER']</a></var>.
  </p>

  <blockquote><p><b class="note">Note</b>: 
   <b>Configuration Note</b><br />
   
    PHP uses the presence of an <i>AuthType</i> directive
    to determine whether external authentication is in effect.
   <br />
  </p></blockquote>

  <p class="simpara">
   Note, however, that the above does not prevent someone who
   controls a non-authenticated URL from stealing passwords from
   authenticated URLs on the same server.
  </p>
  <p class="simpara">
   Both Netscape Navigator and Internet Explorer will clear the local browser
   window&#039;s authentication cache for the realm upon receiving a
   server response of 401. This can effectively &quot;log out&quot; a user,
   forcing them to re-enter their username and password. Some people
   use this to &quot;time out&quot; logins, or provide a &quot;log-out&quot; button.
  </p>
  <p class="para">
   <div class="example">
    <p><b>Example #3 HTTP Authentication example forcing a new name/password</b></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /></span><span style="color: #007700">function&nbsp;</span><span style="color: #0000BB">authenticate</span><span style="color: #007700">()&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">header</span><span style="color: #007700">(</span><span style="color: #DD0000">'WWW-Authenticate:&nbsp;Basic&nbsp;realm="Test&nbsp;Authentication&nbsp;System"'</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">header</span><span style="color: #007700">(</span><span style="color: #DD0000">'HTTP/1.0&nbsp;401&nbsp;Unauthorized'</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"You&nbsp;must&nbsp;enter&nbsp;a&nbsp;valid&nbsp;login&nbsp;ID&nbsp;and&nbsp;password&nbsp;to&nbsp;access&nbsp;this&nbsp;resource\n"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;exit;<br />}<br />&nbsp;<br />if&nbsp;(!isset(</span><span style="color: #0000BB">$_SERVER</span><span style="color: #007700">[</span><span style="color: #DD0000">'PHP_AUTH_USER'</span><span style="color: #007700">])&nbsp;||<br />&nbsp;&nbsp;&nbsp;&nbsp;(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'SeenBefore'</span><span style="color: #007700">]&nbsp;==&nbsp;</span><span style="color: #0000BB">1&nbsp;</span><span style="color: #007700">&amp;&amp;&nbsp;</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'OldAuth'</span><span style="color: #007700">]&nbsp;==&nbsp;</span><span style="color: #0000BB">$_SERVER</span><span style="color: #007700">[</span><span style="color: #DD0000">'PHP_AUTH_USER'</span><span style="color: #007700">]))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">authenticate</span><span style="color: #007700">();<br />}&nbsp;else&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;p&gt;Welcome:&nbsp;{$_SERVER['PHP_AUTH_USER']}&lt;br&nbsp;/&gt;"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"Old:&nbsp;{$_REQUEST['OldAuth']}"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;form&nbsp;action='{$_SERVER['PHP_SELF']}'&nbsp;METHOD='post'&gt;\n"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;input&nbsp;type='hidden'&nbsp;name='SeenBefore'&nbsp;value='1'&nbsp;/&gt;\n"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;input&nbsp;type='hidden'&nbsp;name='OldAuth'&nbsp;value='{$_SERVER['PHP_AUTH_USER']}'&nbsp;/&gt;\n"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;input&nbsp;type='submit'&nbsp;value='Re&nbsp;Authenticate'&nbsp;/&gt;\n"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;/form&gt;&lt;/p&gt;\n"</span><span style="color: #007700">;<br />}<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
    </div>

   </div>
  </p>
  <p class="simpara">
   This behavior is not required by the HTTP Basic authentication
   standard, so you should never depend on this. Testing with Lynx
   has shown that Lynx does not clear the authentication credentials
   with a 401 server response, so pressing back and then forward
   again will open the resource as long as the credential
   requirements haven&#039;t changed. The user can press the
   &#039;_&#039; key to clear their authentication information, however.
  </p>
  <p class="simpara">
   Also note that until PHP 4.3.3, HTTP Authentication did not work
   using Microsoft&#039;s IIS server with the CGI version of PHP due to a
   limitation of IIS.  In order to get it to work in PHP 4.3.3+, 
   you must edit your IIS configuration &quot;Directory Security&quot;.  Click
   on &quot;Edit&quot; and only check &quot;Anonymous Access&quot;, all other fields
   should be left unchecked.
  </p>
  <p class="simpara">
   Another limitation is if you&#039;re using the IIS module (ISAPI) and PHP 4, you
   may not use the <i>PHP_AUTH_*</i> variables but instead, the
   variable <i>HTTP_AUTHORIZATION</i> is available.  For example,
   consider the following code: <i>list($user, $pw) = explode(&#039;:&#039;,
    base64_decode(substr($_SERVER[&#039;HTTP_AUTHORIZATION&#039;], 6)));</i>
  </p>
  <blockquote><p><b class="note">Note</b>: 
   <b>IIS Note:</b><br />
   <span class="simpara">
    For HTTP Authentication to work with IIS, the PHP directive
    <a href="ini.core.html#ini.cgi.rfc2616-headers" class="link">cgi.rfc2616_headers</a> must
    be set to <i>0</i> (the default value).
   </span>
  </p></blockquote>
  <blockquote><p><b class="note">Note</b>: 
   
    If <a href="features.safe-mode.html#ini.safe-mode" class="link">safe mode</a> is enabled, the
    uid of the script is added to the <i>realm</i> part of
    the <i>WWW-Authenticate</i> header.
   <br />
  </p></blockquote>

 </div>
<hr /><div style="text-align: center;">
 <div class="prev" style="text-align: left; float: left;"><a href="features.html">Features</a></div>
 <div class="next" style="text-align: right; float: right;"><a href="features.cookies.html">Cookies</a></div>
 <div class="up"><a href="features.html">Features</a></div>
 <div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>