PHP_AUTH_* and HTTP_AUTHORIZATION?

When the server sends out a WWW-Authenticate header combined with a
401 response code, you get prompted for a username / password.

On some servers, this username and password are then saved in
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. On others,
however, they aren't. So why, on these servers, isn't the value saved
in $_SERVER['HTTP_AUTHORIZE']? The authorize header in the HTTP
response is the header that contains the info that, anyway.

eg. Authorization: Basic YXNkZjphc2Rm

....which base64_decode()'s to 'asdf:asdf'.

It seems that most any header in the HTTP request is added to $_SERVER
via HTTP_* (even made up ones), so why is Authorize different?

Re: PHP_AUTH_* and HTTP_AUTHORIZATION?

On 21 Dec, 19:58, yawnmoth wrote:
> When the server sends out a WWW-Authenticate header combined with a
> 401 response code, you get prompted for a username / password.
>
> On some servers, this username and password are then saved in
> $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. On others,
> however, they aren't. So why, on these servers, isn't the value saved
> in $_SERVER['HTTP_AUTHORIZE']? The authorize header in the HTTP
> response is the header that contains the info that, anyway.
>
> eg. Authorization: Basic YXNkZjphc2Rm
>
> ...which base64_decode()'s to 'asdf:asdf'.
>
> It seems that most any header in the HTTP request is added to $_SERVER
> via HTTP_* (even made up ones), so why is Authorize different?

Because HTTP only defines how the webserver and browser negotiate
authentication - not what gets passed via CGI/other API.

(BTW you should never use BASIC authentication over a non-SSL
connection - use digest instead - but this still won't protect against
MITM attacks)

C.