HTTP Authentication with PHP causes error 500

Raga · 22nd July 2003, 10:36 PM

Straight from PHP.Net:

Code:

<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>

Here's the outcome: http://www.ragadesign.com/authenticate.php .

The "header('HTTP/1.0 401 Unauthorized');" bit causes error 500. Any clues to what's the issue? It works fine in my Apache / Windows text box, and it works fine in one Apache / Linux box I tried it with.

Are you using a CGI version of PHP, or what's the issue?

Oh yes, on error 500, a peculiar issue I noticed:

http://www.ragadesign.com/whatever.php

This non-existing page gives me error 500, though one'd expect error 404.

http://www.ragadesign.com/whatever.html

This non-existing page gives me 404 as always.

Am I missing something here? Is something messed up with my configuration (I haven't done any) or is it a server config issue?

Raga · 23rd July 2003, 10:28 PM

I am seriously thinking this is a server configuration issue. Should I open a ticket for it, or can someone resolve it here?

UH-Simon · 23rd July 2003, 11:02 PM

Your sites have been added as High Security. Having them set like this causes alot of server systems (such as PHP) not to work. I have changed your main site ragadesign.com to a Normal (3.1 compat) security site and the problem seems to be resolved.

Raga · 24th July 2003, 02:40 AM

Interesting. So 3.1 is the recommended setting for people who want to keep everything functional? What's the difference between 3.1 compatibility and Low Security?

Quote:

High Security:
High security allows safe remote access ( Telnet,SSH ) and CGI scripting environment. This setting secures the site's data from other users on this server and is recommended for shared hosting environments or sites that allow CGI and/or remote access.
Low Security:
Low security allows remote services (Telnet,SSH ) and CGI scripts access to the whole server, including other user's data on the server. This level is recommended only for trusted users, and should not be used in shared hosting environments.
3.1 Compatibility:
3.1 Compatibility should be used only if you are upgrading from WEBppliance 3.1. This allows a site to retain its settings to allow CGI scripts to run without modification.
For further details, refer to the topic 'Overview of Site Security Levels' in the Help Section

All in all I don't quite follow the legend here. How exactly does Low Security allow for example SSH access to the whole server? At any rate the user won't be getting out of his chrooted environment, right?

UH-Simon · 24th July 2003, 09:41 AM

Yes, the low security information is inaccurate. SSH would still be held within the users chroot. We would recommend adding your sites as Normal (3.1 compat).

Raga · 24th July 2003, 12:38 PM

You might want to tweak that popup text to reflect the situation. The 3.1 compatible choice is the last one'd chooce, since it "should be used only if you are upgrading from WEBppliance 3.1", and I think most of us are not doing that.