Hướng dẫn how to set php_auth_user

PHP_AUTH_USER is empty. And system using the Windows login credentials.

How can I change it.

I wanna use the username and password entered by the user

Jonas

113k96 gold badges299 silver badges371 bronze badges

asked Aug 25, 2010 at 12:45

1

See HTTP Authentication with PHP

 jason ¶
18 years
ago

on the php+mysql auth code by tigran at freenet dot am
There are some security weaknesses.
First
$user 
  and 
$pass
are both insecure, they could leave this code open to SQL injection, you should always remove invalid characters in both, or at least encode them.
Actually storing passwords as MD5 hashes leaves you less work to secure.

  

Second security risks
The same mysql user has rights to both update and select, and possibly even insert and on your auth database no less.
Again the SQL inject attack may occur with this., and the end user could then change the users username, password, or anything else in relation to this.
Third items is more of a performance issue,
  Do you really need to update the database, as updates are slower then selects, and if you do them every time they access the page, you are costing some speed penalty.
One option, if you want to use sql [I think mysql has it] is memory only databases, and create a table within memory, the stores a unique session identifier for each user, that is logged in, or alternatively if it's a single front end system, you could use db files.

 kembl at example dot com ¶
16 years ago

# PHP [CGI mode] HTTP Authorization with ModRewrite: 
# most right example with header check for non empty:
 RewriteEngine on
 RewriteCond %{Authorization}  !^$
 RewriteRule .* - [E=REMOTE_USER:%{Authorization}, \
E=PHP_AUTH_USER:%{Authorization},L]
 nuno at mail dot ideianet dot pt ¶
18 years ago

In Windows 2003 Server/IIS6 with the php4+ cgi I only get HTTP authentication working with:

with

doesn't work !
I also need in "Custom Errors" to select the range of "401;1" through "401;5" and click the "Set to Default" button.
Thanks rob at theblip dot com
 rob at theblip dot com ¶
18 years ago

Regarding HTTP authentication in IIS with the php cgi 4.3.4, there's one more step. I searched mightily and didn't find this information anywhere else, so here goes. When using HTTP auth with the php CGI, you need to do the following things:
1. In your php.ini file, set "cgi.rfc2616_headers = 0"
2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the "Anonymous access" checkbox and uncheck any other checkboxes [i.e. uncheck "Basic authentication," "Integrated Windows authentication," and "Digest" if it's enabled.] Click OK.
3. In "Custom Errors", select the range of "401;1" through "401;5" and click the "Set to Default" button.
It's this last step that is crucial, yet not documented anywhere. If you don't, instead of the headers asking for credentials, IIS will return its own fancy but useless 'you are not authenticated' page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER['PHP_AUTH_*'] elements.

 s dot i dot g at gmx dot com ¶
13 years ago