ansaurus

Question

$_SERVER vartiables are dropped on my hosting running CGI

Answer 1

+2 A:

As per the manual, those variables are only available when PHP runs as an Apache module. http://php.net/manual/en/features.http-auth.php

You can try talking to your hosting provider and see if they can make them available to you when CGI dispatches the request.

Andrei Serdeliuc 2010-08-23 10:34:24

I should have checked that. Unfortunatly they can;t make them available to me. Do you know if it is possible to use a work around similar to here: http://planetozh.com/blog/2009/04/http-authentication-on-php-as-cgi-like-dreamhost/

Designer023 2010-08-23 10:45:03

It really depends which environment variables are made available to you. A starting point might be `print_r($_SERVER)` and check what CGI is making available to you.

Andrei Serdeliuc 2010-08-23 10:48:56

Designer023 2010-08-23 11:11:45

Internal requests could be handled using REMOTE_ADDR? If REMOTE_ADDR is the ip address of the server you are running on, then you can assume it's an internal request. This does pose a security issue, as someone on the same server as you could make requests that look internal.

Andrei Serdeliuc 2010-08-23 11:27:54

Ah ok I will have a look into this. Does that mean I can use curl in a script in one dir to use the api in another dir. Where would the REMOTE_ADDR be used? Sending or recieving? Sorry I ask so many q's I am in over my head!

Designer023 2010-08-23 11:43:29

It's not necessarily a "directory" issue as much as it is handling the requests properly, you could have a script call itself using curl if you wanted based on conditions, same rules would apply. You need to check originating ip of the request. Something like this: `if($_SERVER['SERVER_ADDR'] == $_SERVER['REMOTE_ADDR'])`

Andrei Serdeliuc 2010-08-23 11:51:10

Must be some kind of internal blocking going on, not sure what, because if I change the api link it links to to the identical api I have on another server, it works ok. Maybe it's not handling my reqeusts quite right!

Designer023 2010-08-23 12:00:50

Answer 2

+1 A:

According to the docs, those two variables are not available in CGI mode.

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

however, take a delve into the User Contributed Notes. There is a number of workarounds people claim to have had success with, e.g. this one. Maybe worth checking out.

Pekka 2010-08-23 10:37:09

That one has half fixed the problem, Thank you. For some reason now it works accessing it from an external location, ie: from my localhost I can call the api and get a response. but from the server to the api in another dir it fails! strange! I will keep looking!

Designer023 2010-08-23 11:04:29

Answer 3

A:

if it's for automated usage, no need to use HTTP auth at all. just send a secret token as a credentials.

http://example.com/service.php?auth=A235BDA74456CC3

Col. Shrapnel 2010-08-23 10:41:16

Answer 4

A:

The Apache web server blocks the HTTP_AUTHORIZATION environment variable for CGI apps by default, which is what PHP uses to populate PHP_AUTH_USER/PASS. This behaviour can be turned off by recompiling Apache with the SECURITY_HOLE_PASS_AUTHORIZATION flag set.

The “security hole” is that any other users on a shared server will be able to see the passwords of users authenticating with your site. Whether that's actually a security hole for you depends; often not.

If you are on a cheapo shared server chances are you are not going to get the chance to recompile Apache.

Do you know if it is possible to use a work around similar to here

Yes, it should do, if you have mod_rewrite available. (The caveats about it being potentially a “security hole” still apply.)

It is, however, ugly, and complicates deployment. Also there are a few problems with the example script given (the use of explode discards any : characters in the password, and the echos without proper use of htmlspecialchars() introduce an XSS vulnerability.)

This kind of nonsense is one of the reasons HTTP Authentication is increasingly unpopular. Most sites deploy form/cookie-based auth instead. For an API you would typically have your own token-based auth instead of relying on Basic Authentication.

bobince 2010-08-23 11:22:48

I can't recompile but I do have mod rewrite available. I have used this so far which seems to work:RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]If I can somehow get it to send requests to it's own API in a different dir I will be made up! :D Thanks for the detail of your answer. Makes a lot of sense now

Designer023 2010-08-23 11:31:44

ansaurus

tags:

views:

answers:

$_SERVER vartiables are dropped on my hosting running CGI

related questions