{"id":32,"date":"2005-07-30T12:48:13","date_gmt":"2005-07-30T17:48:13","guid":{"rendered":"http:\/\/pessoal.org\/blog\/?p=32"},"modified":"2005-07-30T12:52:33","modified_gmt":"2005-07-30T17:52:33","slug":"http-authentication-and-microsoft-iis-php-isapi-module","status":"publish","type":"post","link":"https:\/\/pessoal.org\/blog\/2005\/07\/30\/http-authentication-and-microsoft-iis-php-isapi-module\/","title":{"rendered":"HTTP Authentication and Microsoft IIS \/ PHP ISAPI module"},"content":{"rendered":"<p>Eventum has a feature to provide RSS feeds of custom filters, which is basically a way to save advanced search parameters into a special URL that you can call out to check on results. Pretty useful feature, and a lot of people use that. However, we can&#8217;t simply have an open window into a potential confidential database of issues\/bugs\/tickets, so the RSS feed script authenticates the user with HTTP Auth, with the <a href=\"http:\/\/www.php.net\/manual\/en\/features.http-auth.php\">usual PHP way<\/a> of doing things:<\/p>\n<p><code>&lt;?php<br \/>\nif (!isset($_SERVER['PHP_AUTH_USER'])) {<br \/>\n    header('WWW-Authenticate: Basic realm=\"My Realm\"');<br \/>\n    header('HTTP\/1.0 401 Unauthorized');<br \/>\n    echo 'Text to send if user hits Cancel button';<br \/>\n    exit;<br \/>\n} else {<br \/>\n    echo \"Hello {$_SERVER['PHP_AUTH_USER']}.\";<br \/>\n    echo \"You entered {$_SERVER['PHP_AUTH_PW']} as your password.\";<br \/>\n}<br \/>\n?&gt;<\/code><\/p>\n<p>Everything works fine most of the times, but we started getting reports of problems from Microsoft IIS users. It turns out that PHP doesn&#8217;t automagically sets up the PHP_AUTH_* variables for you in some cases, and there&#8217;s even a quick mention of that on the documentation:<\/p>\n<blockquote><p>\nAnother limitation is if you&#8217;re using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(&#8216;:&#8217;, base64_decode(substr($_SERVER[&#8216;HTTP_AUTHORIZATION&#8217;], 6)));\n<\/p><\/blockquote>\n<p>However, that wasn&#8217;t true for a Microsoft IIS 6.0 that had configured PHP as a ISAPI module. Instead of getting a $_SERVER[&#8216;HTTP_AUTHORIZATION&#8217;] variable like that, he would get this when doing var_dump($_SERVER):<\/p>\n<p><code>array(30) {<br \/>\n[\"ALL_HTTP\"]=>  string(985) \"HTTP_CONNECTION:keep-alive<br \/>\nHTTP_KEEP_ALIVE:300<br \/>\nHTTP_ACCEPT_CHARSET:ISO-8859-1,utf-8;q=0.7,*;q=0.7<br \/>\nHTTP_ACCEPT_ENCODING:gzip,deflate HTTP_ACCEPT_LANGUAGE:en-us,en;q=0.5<br \/>\nHTTP_AUTHORIZATION:Basic ********************************************\"<br \/>\n}<br \/>\n<\/code><\/p>\n<p>So instead of simply using the $_SERVER variables, I had to manually handle the HTTP environment variables and get the proper value:<\/p>\n<p><code>if ((!empty($_SERVER['ALL_HTTP'])) && (strstr($_SERVER['ALL_HTTP'], 'HTTP_AUTHORIZATION'))) {<br \/>\n    preg_match('\/HTTP_AUTHORIZATION:Basic (.*)\/', $_SERVER['ALL_HTTP'], $matches);<br \/>\n    if (count($matches) > 0) {<br \/>\n        $pieces = explode(':', base64_decode($matches[1]));<br \/>\n        $_SERVER['PHP_AUTH_USER'] = $pieces[0];<br \/>\n        $_SERVER['PHP_AUTH_PW'] = $pieces[1];<br \/>\n    }<br \/>\n}<br \/>\n<\/code><\/p>\n<p>That will do the trick.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Eventum has a feature to provide RSS feeds of custom filters, which is basically a way to save advanced search parameters into a special URL that you can call out to check on results. Pretty useful feature, and a lot of people use that. However, we can&#8217;t simply have an open window into a potential [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,9],"tags":[],"_links":{"self":[{"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/posts\/32"}],"collection":[{"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/comments?post=32"}],"version-history":[{"count":0,"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/posts\/32\/revisions"}],"wp:attachment":[{"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/media?parent=32"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/categories?post=32"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pessoal.org\/blog\/wp-json\/wp\/v2\/tags?post=32"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}