ID: 20441 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Closed Bug Type: Apache related Operating System: all PHP Version: 4.3.0 New Comment:
The suggestion that $REMOTE_USER still works and can be used in Safe mode is only party true. I noticed that this variable is filled with the username supplied by the external basic auth mechanism (.htaccess) unless you are in a script which has been called by a <form action=XXX method="post">. With method="get" it works OK. I need the $REMOTE_USER to lookup users from the database and find their ID in the DB. The method="get" option is a workaround, but this does not work in upload scripts, which has to use "post". Is this a new bug? Previous Comments: ------------------------------------------------------------------------ [2002-12-21 15:16:22] [EMAIL PROTECTED] It has been agreed in php-dev to keep the PHP_AUTH_* variables but to disable them when in safe mode. This change was made after 4.3.0-RC4 but will exist in PHP 4.3.0. This is from the PHP 4.3.0 NEWS: Make PHP_AUTH_* variables not available in safe mode under Apache when an external basic auth mechanism is used. (Philip) REMOTE_USER will exist regardless. In the future, a new ini directive such as expose_php_auth_vars may be available. The docs will be updated. ------------------------------------------------------------------------ [2002-12-18 15:21:10] [EMAIL PROTECTED] This needs to be fixed before 4.3 goes out. While it is of course important to improve the code and iron out long standing errors, we must not forget that our users rely on the old behaviour. The default behaviour of 4.3 should be the same as in old versions. ------------------------------------------------------------------------ [2002-12-18 13:29:19] [EMAIL PROTECTED] This problem has just caused me a big headache - a customer has been relying on the fact that both .htaccess and PHP_AUTH_USER have been available in parallel since at least PHP 4. They've asked me to fix their scripts, but it would be a massive rewrite to sort out. I only have two customers who do their own scripting, and 50% of them are bitten by this. I think that 4.3.0 may well annoy lots of people with this. I can see from the documentation of bug #19251 why the change has been made, and I understand that that the manual documents the new behaviour, but I suspect this misbehaviour is widely relied upon, and perhaps we should consider an php.ini switch. The only economic solution I can suggest for my customer in the meanwhile is for me to patch php back to its old behaviour. ------------------------------------------------------------------------ [2002-12-11 10:58:19] [EMAIL PROTECTED] We fixed a bug, period. Derick ------------------------------------------------------------------------ [2002-12-11 10:53:53] [EMAIL PROTECTED] Can someone explain this? Apparently some external auth systems did not populate PHP_AUTH_USER while others did... Was this BC break discussed? It has been documented forever but this behavior changed so please explain it. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/20441 -- Edit this bug report at http://bugs.php.net/?id=20441&edit=1