We Keep Coding

Kanboard and reverse-proxy authentication

According the documentation (https://docs.kanboard.org/en/latest/admin_guide/reverse_proxy_authentication.html), i try to configure a simple authentication using the REVERSE_PROXY_USER_HEADER parameter.
For that, i set the parameters (data/config.php) like that !
define('REVERSE_PROXY_AUTH', true);
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
define('REVERSE_PROXY_DEFAULT_ADMIN', 'admin');
define('REVERSE_PROXY_DEFAULT_DOMAIN', 'my-domain.fr');
I also change the apache2 log format for display my HTTP headers and i can see my 'user-name' in the corresponding log.
My HTTP request is this one :
Host: kbsso.my-domain.fr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: KB_SID=g6re22ivihojnle991idmo4vhh; KB_RM=4c14de632e17976bc894b9dd0f273c0415d0fef620b62b00bc8e782084775a97%7Cf47e8c6b8ab3721c60dd32fbc4ed129fedbeafc388ff66b3c9933e28c08d
Upgrade-Insecure-Requests: 1
REMOTE_USER: ex.valere.viandier
Pragma: no-cache
Cache-Control: no-cache
So, my problem is...
When REVERSE_PROXY_AUTH is set to true, the controller show me the login screen but if i try to loggin, i receive an "Access denied" HTML page.
When REVERSE_PROXY_AUTH is set to false, the controller show me the login screen and, using the same user account, i can access to kanboard.
The documentation say :
Your reverse proxy authenticates the user and send the username through a HTTP header.
Kanboard retrieve the username from the request
The user is created automatically if necessary
Open a new Kanboard session without any prompt assuming it’s valid
I try with existing and non-existing user but i have the same problem.
I try with v1.2.5, v1.2.8 but no way...
Do you know an issue ?
Thx a lot
Valère

PHP SAML Post Variable Not Showing After Redirect

I'm working with a SSO Saml authentication flow which looks as follows:
User sends SAMLRequest
User is redirected to IdP login page
User submits login details
IdP authenticates and redirects to my consumer assertion processing page
Access token extracted and submitted for a token to interact with API
I'm stuck on step 5. In fiddler, I can see the request header being sent with the required SAMLResponse posted, but it does not show in $_POST, $_GET and I've tried file_get_contents('php://input'). The response is the result of a 301 redirect.
The incoming header request with the required SAMLResponse redirected (301) to my assertion consumer page looks as follows. I can't figure out how to extract the posted parameter SAMLResponse?
POST http://localhost/xxxxxxxxxxx
Host: localhost
Connection: keep-alive
Content-Length: 7710
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: optimizelyEndUserId=oeu1463724346007r0.9674156716176872; ajs_anonymous_id=%22c336991a-286a-4278-8cb2-3d00d784f376%22; optimizelySegments=%7B%225943211328%22%3A%22direct%22%2C%225934960299%22%3A%22false%22%2C%225952160221%22%3A%22gc%22%7D; optimizelyBuckets=%7B%7D; ajs_user_id=null; ajs_group_id=null; _ga=GA1.1.1336717339.1458634274; PHPSESSID=imtffdda2a6g576rtd0vpb8ro2
SAMLResponse=xxxxxxxxxxxxxxxx
I've been scanning the web for a week but have not found a solution. Thanks in advance for any help.

It turns out I was missing a trailing / on my consumer assertion url which of course meant the server was redirecting to index.php resulting in the loss of post vabriables.

Understanding how XMLHttpRequest sends data to a server

I haven't understand data transfer to the server completely. Which ways do I have? When I started learning PHP, I thought there are two ways called GET which encrypts data in the URL and POST which sends data in another way to the server. I didn't know where exactly, though.
Now I want to learn about RESTful server backends, and I learned that GET and POST are just request methods, among others like PUT and DELETE, which doesn't seem to have anything to do with how data is transferred to the server.
Moreover, I read that additional data can be sent in the HTTP header. Is this how POST actually sends its data or is there even a difference?
I would like to either read POST data regardless of the request method using PHP's $_POST array, but this doesn't work. On the other hand, when I try to manually parse the header information from php://input, I cannot see POST data. Could someone please explain to me where data is transferred in the different cases?
My goal is to get parameters from the client regardless of content type, which may be form-data, json or something other, and request method. How can I do this in PHP? Requests will be sent using JQuery's AJAX functionality.

To explain how does http work using nc
http://linux.die.net/man/1/nc
GET
$ nc -l 8888 to start a dummy server listen at 8888
send a GET request using jQuery (impl via XHR)
$.get("http://localhost:8888", { a :1 ,b: 2})
nc would print what XHR sent to server to stdout
$nc -l 8888
GET /?a=1&b=2&_=1383234919249 HTTP/1.1
Host: localhost:8888
Connection: keep-alive
Accept: */*
Origin: http://stackoverflow.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
DNT: 1
Referer: http://stackoverflow.com/questions/19710815/understanding-how-xmlhttprequest-sends-data-to-a-server
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
thus, PHP parse GET /?a=1&b=2&_=1383234919249 into $_GET
POST
using nc to recording POST
POST / HTTP/1.1
Host: localhost:8888
Connection: keep-alive
Content-Length: 7
Accept: */*
Origin: http://stackoverflow.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://stackoverflow.com/questions/19710815/understanding-how-xmlhttprequest-sends-data-to-a-server
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
a=1&b=2
here you can see Content-Type: application/x-www-form-urlencoded
,which tell the http body sent by browser is form encoded
as a result, PHP parse a=1&b=2 in to array $_POST
WHY php://input can't see POST BODY
according to http://php.net/manual/en/wrappers.php.php
php://input is a stream and can be read only once
below is from php doc
Note: A stream opened with php://input can only be read once; the
stream does not support seek operations. However, depending on the
SAPI implementation, it may be possible to open another php://input
stream and restart reading. This is only possible if the request body
data has been saved. Typically, this is the case for POST requests,
but not other request methods, such as PUT or PROPFIND.

Display HTTP Response on Webpage using PHP

I am looking to put together a website that displays the full HTTP Request Headers and HTTP Response Headers for the loading of the page itself. For instance. If someone browses to http://example.com/index.php , I want the following to display:
HTTP Request
GET /index.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
HTTP Response
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2011 10:20:46 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 1169
Connection: close
Content-Type: text/html; charset=UTF-8
We were able to get the Request header to display fairly simply using the following PHP code:
print $_SERVER['REQUEST_METHOD']." ".$_SERVER['REQUEST_URI']." ".$_SERVER['SERVER_PROTOCOL']."<br>";
foreach (apache_request_headers() as $name => $value)
echo "$name: $value<br>";
But are having some difficulties with the HTTP Response header. Anyone have any ideas of how we can do this? It does not have to be PHP if you have a method that works in Perle or CGI or whatever.
To be clear, I don't mean to set the HTTP Response to anything specific, only display the response served by the web server to load the page.

You want to use headers_list()
http://www.php.net/manual/en/function.headers-list.php
headers_list() will return a list of headers to be sent to the browser / client. To determine whether or not these headers have been sent yet, use headers_sent().

Well here is the issue, the response header is generated after the PHP (or any server-side language for that matter) has already completed its job.
To put it in english its like the post man handing you a letter and you asking him to explain how the process of handing you the letter went. He will probably just look at you dumb.
You will need a client-side language (ie. JavaScript) to perform this task.

Use PHP to get the headers sent to the web Server.
http://www.php.net/manual/en/function.apache-request-headers.php
Use JavaScript to get headers sent by the web server. I would suggest using jQuery for that.
http://api.jquery.com/jQuery.ajax/#jqXHR
This way you are sure that you get all the headers which are either received by the web server or the browser.

Check out get_headers in PHP Manual

How does PHP access information about the client's browser?

How is it possible for client browser data to be saved in an array in PHP?
PHP runs on the server side, so I don't understand how it has access to information about the client's browser.

User agent data is usually sent with every HTTP requests, in the User-Agent HTTP header field. You might want to read up on HTTP message formats in general. For example, this is part of the HTTP request that my browser sent to load jQuery on this very page:
GET http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
If-Modified-Since: Fri, 01 Apr 2011 21:23:55 GMT
Accept-Charset: UTF-8,*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
PHP reads the client browser data that you're asking about from the User-Agent header field.

The client sends data to the server which the server uses to build the array (I'm assuming you're talking about $_GET, $_POST, $_SERVER, etc.)

You will find it here
$_SERVER['HTTP_USER_AGENT']
You may need to parse this by regex to get the browser name and version separately.

$_REQUEST
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.

The data is submited by the browser when a new page is requested, PHP just puts it into an array for your convenience.
You should start by reading a bit about HTTP (GET and POST to begin with), and HTTP headers.