I ran into a problem with my PHP code and after extensive discussions on the PHP forum we decided that this must be an Apache issue. I have a directory configured with MySQL authentication, I have a link on an unprotected page that goes to a frameset in the protected directory. Clicking on that link brings up the authentication prompt as expected and either clicking cancel or entering too many incorrect passwords brings up the 401 error. Clearly the authentication itself is working properly. When the correct credentials are entered, the frameset is displayed but incorrectly. The top frame is a PHP page that uses '$_SERVER["PHP_AUTH_USER"]' and the value is not set. Doing a 'print_r' of '$_SERVER' shows that none of the 'PHP_AUTH_*' variables are set nor is 'REMOTE_USER'. In fact there are no variables set that identify the authenticated user and that is my problem. There are no errors in the PHP logs nor in the Apache logs. With no errors anywhere, I don't know how to debug this problem. Can someone tell me how I can get Apache to give me more information about setting the '$_SERVER' array or suggest a way to debug this? TIA.
I have made a discovery while trying some desperation things. I have determined what the problem is but not how to fix it. This directory also forces SSL so I have a .htaccess in the protected directory with the following rewrite rules: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Code (markup): This is apparently the crux of the problem. If I disable these rules the values get filled in correctly. So the question now becomes, how do I fix these rules so it does not prevent the needed variables being set?
Further investigation indicates is not the rewrite rule per se that is causing the problem but rather SSL in general. When I remove the rewrite rule and use an https URL directly, not only are the variables not set but the log in prompt doesn't come up and the user is allowed in without authenticating. This looks like a serious security problem now.
One thing that I would look into is if cookies are being set. If the cookies do not have the https flag set, they will not carry over to the https and you will not get proper auth.
One thing that I would look into is if cookies are being set. If the cookies do not have the https flag set, they will not carry over to the https and you will not get proper auth.
I don't understand. Cookies are on the client side. There should be nothing on the client side that can circumvent the server side security. Why would the fact that if SSL is being used it somehow by-passes authentication and have anything to do with client side activity?