Sometimes you come across things that just make you wonder what is going on in peoples minds.<\/p>\n
For years everyone who wrote applications compatible with the standard HTTP Authentication method has used the REMOTE_USER<\/i> server variable as set by Apache to check the username that was logged in by the webserver, this has worked well for everyone, CGI’s and all would just grab it there and everyone would be happy.<\/p>\n
Along comes PHP and they make great big mess of it, PHP suggests<\/a> that we use $_SERVER[‘PHP_AUTH_USER’]<\/i> instead, and they give some good reasons for this too, except they have severely crippled this for all but Basic and Digest authentication, the following code from main\/main.c<\/p>\n <\/i><\/p>\n if (auth && auth[0] != ‘\\0’ && strncmp(auth, “Basic “, 6) == 0) { user = php_base64_decode(auth + 6, strlen(auth) – 6, NULL); As you can see above, they only import the user and pass from Apache if the AuthType is Basic, this makes no sense at all. Why not just check with Apache, if it set the username then import it? Surely Apache know if a user has authenticated? Ditto for password. It is so broken in fact that PHP in CGI mode also doesn’t work since those headers don’t get set for that either, countless comments and nasty hacks can be found in the PHP user contributed notes about this, but it is all just sillyness.<\/p>\n The reason this is annoying me is that I have written a Single Singon system in PHP, you can host a identity server on any domain and hook any site in any other domain into the SSO system, its a bit like TypeKey<\/a><\/p>\n
char *pass;
char *user;<\/p>\n
if (user) {
pass = strchr(user, ‘:’);
if (pass) {
*pass++ = ‘\\0’;
SG(request_info).auth_user = user;
SG(request_info).auth_password = estrdup(pass);
ret = 0;
} else {
efree(user);
}
}
}<\/p><\/blockquote>\n