I am currently working on a project that I've decided to go with basic HTTP authorization at the admin area for simplicity, however the company I'm working for already has HTTP authorization on their staging server and I was wondering if it is possible to have double HTTP authorization? Looking at the headers I thought that the realm part is what defines where the user is authorized but if I implement it like that currently, after I enter my credentials for the staging server and then on my inner authorization something that looks like an infinite loop starts, the page never loads.
Is this possible at all or is there some kind of error in my code?
The code is pretty basic stuff:
function require_auth() {
if (!isset($_SESSION['auth'])) {
if ($_SERVER['PHP_AUTH_USER'] === '...' && $_SERVER['PHP_AUTH_PW'] === '...') {
return $_SESSION['auth'] = true;
} else {
header('WWW-Authenticate: Basic realm="uniquerealm"');
header('HTTP/1.0 401 Unauthorized');
}
exit('403 access denied');
}
}
If the HTTP request passes through multiple servers, such as a reverse proxy then an app server, you can use HTTP Basic Auth on each server provided that you accept the same username and password and report the same realm on each server that checks the auth. The realm partitions the URL space that the user sees into different areas, rather than identifying a particular server as I think your question is implying. I've successfully implemented Basic Auth in multiple layers in the past when all 3 pieces matched between servers.
Using python httpx_auth, I successfully passed through two Basic HTTP Authentication with different credentials:
import httpx
from httpx_auth import Basic
with httpx.Client() as client:
a= client.get('https://example.com', auth=Basic('user1', 'password1') + Basic('user2','password2'))
Related
If HTTP authentification exists, like this:
if ($_SERVER['PHP_AUTH_USER'] === '...' &&
$_SERVER['PHP_AUTH_PW'] === '...') {
// Process user login.
} else {
header('WWW-Authenticate: Basic realm="Zone");
header('HTTP/1.0 401 Unauthorized');
die("Please enter username and password.");
}
Why google, facebook, everyone is using custom forms to perform authentifications? Am I missing something here?
The PHP_AUTH_USER and PHP_AUTH_PW server variables are by default set when the server is configured with basic authentication and if the client provides credentials through an authentication header.
Sites generally don't use basic authentication because its user experience in browsers is ... horrific.
Using a login form and a POST handler that processes the form, sites can provide a user-friendly, customized login experience.
I am new to CakePHP and am using version 2.7.5.
I followed the tutorial to create a basic REST service.
I now secured them using the basic auth tutorial.
Now, I have an AngularJS app over this REST service but need a way to prompt users to login or say their account does not have access to that resource.
Right now, when the REST call is made, and they do not have access, the response is a redirect HTML page to "/" or to logon. But I want the response in JSON with a message that says "access denied" or "session is up please logon.." etc.
I know it's the flash variable in cakephp but i am using AngularJS.
So my question is, where do I code in cakephp to send json response instead of HTML page redirect if a user does not have access to a certain rest url after logging in?
You can just return a response header back to the request with the correct status code(401).
if(!$authorized){
return header('HTTP/1.0 401 Unauthorized');
}
You can catch the error code in your request method, for example an ajax request
.error(status){
switch(status.code)
{
case 401:
//Unauthorized
break;
}
}
I am trying to authenticate with a family history web service that authenticates using OAuth2. The basic workflow of the authentication is that I submit a get request against the web service requesting an authentication session. It returns in the body of the response HTML Code with some login components for user name and password. My PHP application then echoes the html code to the browser. The end user can then enter his or her user name and password, then submit to the web service. This is where the behavior becomes unclear. In theory, The web service should redirect to a predefined redirect URI with some parameters included in the URL. In practice, however, submitting the password redirects to the pre registered redirect URI, but there are no parameters included in the URL. My Project is written primarily in PHP. This is a snippit of the code that makes the inital request for an authentication session.
function logOn($mainURL, $credentials)
{
// create a new HTTP_Request object to be used in the login process
$request = new HTTP_Request();
// set the URL of the HTTP_Request object to the family search identity/login endpoint
$request->setUrl("https://web-service/authentication/path?response_type=code&client_id=".$credentials['key']."&redirect_uri=https://www.myredirectPage.edu/");
$request->_useBrackets = false;
$request->addHeader("User-Agent", $credentials['agent']);
$request->addHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
$request->sendRequest();
//HTML_HEADER;
//the response will come in the form of an html file
$responseHtml = $request->getResponseBody();
//Dynamically load html from request body onto the browser to allow for authentication
echo $responseHtml;
return $credentials;
}
The end user will enter their login credentials using the loaded html components and hit submit. The web service then redirects to my redirect authentication page. The code there is provided below.
<?php
// process client request (Via url)
//gather code parameters from the redirect url.
if (isset($_GET['code']))
{
echo $_GET['code'];
}
else
{
echo "code not returned";
}
if (isset($_GET['error']))
{
echo $_GET['error'];
}
else
{
echo "error not returned";
}
?>
Thanks in advance to any help with this.
When I use Google Chrome's Network debugger tool, I saw that my project was making unexpected searches for Javascript and Css resources, all resulting in 404 (not found) errors. Upon closer inspection, I could see that the resources were relative paths to resources that are on the web service server. Rather than looking for 'https://webService.net/js/importantJavascript.js' (an existing file located on the service's web server), it was trying to find 'https://mywebpage.edu/js/importantJavascript.js'(a path to a file that doesn't exist).
how to create user authentication in php just the same way when we try to login to a router.
when i enter the url for example www.example.com/portal there should be a prompt like the above image asking username and password.
what type of authentication is this. how to code that in php.
NOTE: i have to full control of the server that i run. so is there any special module that needs to be installed i can do that.
This is called Basic Auth. See this example from the documentation:
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
http://php.net/manual/en/features.http-auth.php
Essentially, you send the right headers with the status code of 401 Unauthorized. the browser sees this along with your WWW-Authenticate header and prompts the user for you. Once this is done, you are able to see the username and password in $_SERVER['PHP_AUTH_USER'] as well as $_SERVER['PHP_AUTH_PW'].
You should know though that if you are using basic auth, the username/password are sent plaint-text. You must use HTTPS if you want any sort of security. Also, depending on your application, you will see that there is no way to effectively "log out". Most browsers remember the username/password for the entire session, and send it with every subsequent request.
This is basic http authentification. You could find a tutorial on the php.net page: http://www.php.net/manual/en/features.http-auth.php
It is basically a http header, that you have to send to the browser. The http server (apache/nginx) will forward the userdata afterwards to php like any other $_SERVER parameter.
Currently, for authentication for my Facebook App, I'm doing the following in PHP:
if($_GET["code"] == null)
{
Header("Location: https://graph.facebook.com/oauth/authorize?
client_id=[MY_APP_ID]&
redirect_uri=[THIS_CURRENT_URL]&
scope=publish_stream");
exit();
}
else if($_GET["access_token"] == null)
{
$code = $_GET["code"];
Header("Location: https://graph.facebook.com/oauth/access_token?
client_id=[MY_APP_ID]&
redirect_uri=[THIS_CURRENT_URL]&
client_secret=[MY_APP_SECRET]&
code=$code");
exit();
}
else
{
echo($_GET["access_token"]);
}
Is this safe/proper? Couldn't a malicious user just "intercept" the redirects and see my App ID and App Secret?
This is the textbook definition of unsafe. The Location: header, like all headers, is sent to the user's browser, with the explicit purpose of making that data known to the user's browser. The content of the header will be available to any user running a debugging proxy (like Charles or FireBug) and, I strongly suspect, in the browser's address bar as well.
It's perfectly acceptable to send data this way if the user is allowed to see that data (this is often the case for single sign on applications), but the application secret is almost certainly not acceptable.
Consider using curl for connecting directly to the Facebook server instead.