From: lutz dot schwarz at cgs dot de
Operating system: Win NT
PHP version: 4.3.2
PHP Bug Type: Variables related
Bug description: WWW-Authenticate always fails if register_globals=off
Description:
------------
If registering global variables is enabled (php.ini: register_globals =
on), the variables $PHP_AUTH_USER and $GLOBALS['PHP_AUTH_USER'] are
implicitely set to the values the browser sent. That works fine.
In case registering global variables is disabled (php.ini:
register_globals = off), neither $PHP_AUTH_USER nor
$GLOBALS['PHP_AUTH_USER'] is set. This IS desired for $PHP_AUTH_USER but
it seems to be wrong for $GLOBALS['PHP_AUTH_USER'].
Since I found no other way to get the username and password enterred by
the user, a site can not use "WWW-Authenticate" if register_globals is
off.
I use PHP compiled as Apache module on a Windows-NT4.
PHP Version:
PHP 4.3.2 (cgi-fcgi), Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
with DBG v2.11.23, (C) 2000,2001,2002,2003, by Dmitri Dmitrienko
Apache version:
Server version: Apache/2.0.46
Server built: Jun 2 2003 20:35:59
Reproduce code:
---------------
<?php
if (!isset($GLOBALS['PHP_AUTH_USER']))
{
Header( "WWW-Authenticate: Basic realm=\"Test Authentication
System\"");
Header( "HTTP/1.0 401 Unauthorized");
echo "You must enter a valid login ID and password to access this
resource.\n";
exit;
}
// never reached if "register_globals = Off" in php.ini
echo "Hello {$GLOBALS['PHP_AUTH_USER']} !!<br>";
?>
Expected result:
----------------
Hello what_ever_i_entered_as_username !!
Actual result:
--------------
The browser repeats showing the authentication dialog until pressing
cancel. Then the browser shows:
You must enter a valid login ID and password to access this resource.
--
Edit bug report at http://bugs.php.net/?id=26606&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26606&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26606&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=26606&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=26606&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=26606&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=26606&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=26606&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=26606&r=support
Expected behavior: http://bugs.php.net/fix.php?id=26606&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=26606&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=26606&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=26606&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26606&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=26606&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=26606&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=26606&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26606&r=float
