How do I use PHP to check whether a folder is password protected or not? I am using a PHP script that check for return codes 401 and 403 but when it runs into a folder that is password protected it recognizes that its a 403 but does not allow the popup box for username and password to display? How do I detect that the folder is password protected so I can tell my script to ignore it?
Actually 403 means forbidden. A password-protected resource would normally return 401 Unauthorized.
You already have the information you need: The HTTP response code (403 or whatever) is how you know that the resource (folder, file) is inaccessible.
You say you already have a script to check if the header code is 401 and 403 and yet you want to know how you can check if a page sends a 403 header?
Perhaps you mean talking about the Authentication header.
Assuming the server uses standard HTTP Authentication, the page is password protected if following conditions are met,
The response status code is 401.
www-authenticate header is present in response.
Zhihong
Related
I'm using Slim PHP and want to redirect the user to /login if they are not logged in but try to access a page that requires a user to be logged in. When searching for how to build my middleware, I find variations of this code all over the place
class Auth{
public function requireLogin(Request $request, Response $response, $next){
if( !isLoggedIn() ) return $response->withRedirect('/login', 403);
return $next($request, $response);
}
}
for example in this SO answer and this Slim discourse answer.
The problem is that I can't get the combination of redirecting and HTTP 403 to work. From what I can tell, normal HTTP redirects are restricted to the HTTP codes 3xx. Indeed, the above code works fine when used with for example 302.
Am I missing something, or are all the answers that combine withRedirect and 403 "incorrect" (as in not causing an actual redirect of the users browser)?
If your application is an HTML website that's accessed using a web browser, then the browser will only redirect if the status code is a 3xx one.
If your application is an API that's accessed using an HTTP client then you have more leeway. For an API, you'd use a 403 or 401 status code to indicate that the request cannot be fulfilled without authorisation. You may also include a Location header to tell the client where to go to get authorisation, but of course it's up to the client if they follow up on that link.
The quick question is: is there ane way to change http authorisation header with html / php / javascript?
The goal
I'd like to make an auth service used for user login as well as providing with whole site protection. I want user to be restricted from viewing any file except login page unless authorised. For php I can of course check at the beginning for example session token availability, and redirect if missing, but I can't do it directly for for example jpg images. I thought of creating htaccess file that will verify if user is logged.
The solution
1.
Using Apache I've created .htaccess file, that verifies, if HTTP authorisation is set. If not it redirects any request to login page. With that solution one can not open any file (no matter if it is php script or for example jpg image) except of the login page:
RewriteCond %{HTTP:Authorization} ^$
RewriteCond %{REQUEST_URI} !^/login.php
RewriteRule .* /login.php [L,R]
2.
The login page should display form and when login and password are correct set the http request auth header with proper token.
Unfortunately I can't find a way to create manually http request auth header. The only way I found was to use basic auth:
$auth = new Auth();
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SESSION)) {
$auth->logout();
}
if (!empty($_SERVER['PHP_AUTH_USER']) && empty($_SESSION)) {
$login = $_SERVER['PHP_AUTH_USER'];
$haslo = (!empty($_SERVER['PHP_AUTH_PW']) ? Auth::hashPassword($_SERVER['PHP_AUTH_PW']) : null);
$auth->login($login, $haslo);
}
$auth->getLoginForm();
Where getLoginForm() displays Basic Auth standard form
public function getLoginForm()
{
header(self::HEADER_ERROR_ASK_CLIENT_DATA);
header(self::HEADER_RESPONSE_401);
exit;
}
This solution works, but http request auth header holds the original login data all the time, which is what I want to avoid. I want to inject there "Bearer + token" string, which will help in securing whole system.
What I've tried
I can easily do that with external frontend. For example with windows desktop app I can send one request with basic auth header and the next with bearer header.
The same I can do with JQuery and AJAX - I can retrieve token using url with basic auth, and then use token with custom header for next requests.
I can also make different requests with PHP CURL.
But I can't find a way to force regular browser to login with Basic auth header and after success keep new, custom bearer header for next requests.
There is no standard mechanism to get a User Agent (browser) to provide an Authorization: Bearer header by itself.
What you can do:
make sure all your requests are done via XHR (Ajax), and send the header there. But this will not allow "regular" file loads (new pages, images, scripts, CSS...).
what most people do: send a cookie with your authentication token, and check for that cookie. The browser will automatically send the cookie.
As an aside, note that your .htaccess only checks that there is an Authorization header present, not its value, so it's quite useless. You want to channel all reads via a script that will actually verify the header or cookie before delivering the file.
Currently, I have a client application sending requests (POST) to my local server. Basically a login form.
Now I would like for my local server, implemented in PHP, to send a response back to the client telling the client what errors were found...
Here is what I do to generate a response:
HttpResponse::setData('Incorrect Length for Password');
HttpResponse::send();
But nothing is in the response table in Chrome's debugger tools (Response) column.
I am able to successfully manipulate the header to redirect the user back to the login if there was no match within the database for said username and password combination:
header( 'Location: http://localhost:8080/iSchedj/index.php');
But this is all I can do... Just redirect... And I think this is not the way I am supposed to be redirecting. I feel that the client should be redirecting with respect to the response sent from the server to the client and have the client handle redirecting the user. I am quite new to web development.
HttpResponse is only available when using pecl_http. The default way to output content with php is to simply echo it. In rare occasions you might want to exit processing after some content, you could use die for that.
either:
echo 'Incorrect Length for Password');
or:
die('Incorrect Length for Password');
You also might want to add error reporting into your PHP file, preferably at the beginning:
ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);
This should only be considered for developing though.
I am creating an iPhone app which sends a username and password to a php script, the php script then looks in a mySQL database for the values and sets a boolean to either 0 or 1, depending on whether or not the user should be authenticated. I really have no idea where to start or even what I should Google to look into how to do this.
Is this feasible?
Is this the proper way to authenticate a user in an iOS app?
Thanks!
There are various types to achieve this.
a) Generate an XML or JSON file in PHP, and read the content back in iOS. (this method gives you the benefit of fetching any extra data if you want).
b) Send back HTTP header() from PHP, and read the HTTP response code. you can do something like this.
function checkLogin()
{
//Check login
if($login == true) {
header('HTTP/1.1 200 OK');
} else {
header('HTTP/1.1 401 Unauthorized');
}
}
c) You can output anything in PHP(plain text, JSON, HTML etc.), as the output generated by PHP will be received as HTTP response.
Anything the PHP script outputs will be returned as the HTTP response. Simply output something meaningful, and read it in the client.
The simplest solution would be to use HTTP status codes. Then you don't even have to care about the response body.
If authenticated: "HTTP 200 OK"
If unauthorized: "HTTP 401 Unauthorized"
Resource: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
You can write a php script like this:
<?php
// the authentication procedures memorized in the $authentication variable the result of authentication process. Supposed to be 1 if successful
echo $authentication;
?>
Call this script from your iOS by using an NSURLRequest object for example.
P.S.: However, for data exchange between the client and the server you should use the JSON format.
I have this code:
$url="https://graph.facebook.com/me/friends?access_token=".$access_token."&fields=id,first_name,last_name&limit=10";
$content=file_get_contents($url);
Whenever I use this on a non authenticated user I should get feedback of OAuthException, which doesn't show up in the PHP the $content is empty. While if I copy the URL to the browser I get the result and I see the exception.
I want to detect if the user is logged in and the session data is valid.
What might be wrong?
Maybe Facebook decides whether to respond with exception feedback or with just no response depending on the contents of Accept HTTP header(s) you are sending (file_get_contents sends different HTTP headers than your browser).