repos
/
httpauth
/ annotate_shade
summary
|
shortlog
|
log
|
tree
|
commit
|
commitdiff
|
headdiff
|
annotate
|
headblob
|
headfilediff
|
filehistory
normal
|
plain
|
shade
|
zebra
*ahem* Use the correct input type for the username text box.
Annotate for file /login.php
2010-10-27 pix
1
<?php
04:18:01 '
2
'
3
if ('GET' === $_SERVER['REQUEST_METHOD']) {
'
4
header('HTTP/1.1 200 Log In Optional');
'
5
header('WWW-Authenticate: Basic Realm="Form-Based HTTP Auth Test"', false, 200);
'
6
} else {
'
7
/* When authenticating, always check the POSTed credentials, and only if no
'
8
credentials were posted check the HTTP Auth credentials. There are several
'
9
edge cases which will result in there being both a set of POST credentials
'
10
and a set of HTTP credentials, and the two may not necessarily be the same.
'
11
Any time you get both, the POST credentials are the ones you can expect to
'
12
be the ones most recently supplied by the user.
'
13
'
14
You should also keep this in mind when dealing with actual sessions: just
'
15
because you're getting HTTP Auth credentials from the browser doesn't mean
'
16
you /should/ be. Not being able to tell the browser to forget credentials
'
17
is a real drag--if you're getting both HTTP Auth and a session cookie,
'
18
you've got to trust the cookie over the HA. */
'
19
$username = array_key_exists('username', $_POST) ? $_POST['username'] : $_SERVER['PHP_AUTH_USER'];
'
20
$password = array_key_exists('password', $_POST) ? $_POST['password'] : $_SERVER['PHP_AUTH_PW'];
'
21
}
'
22
'
23
?><!doctype html>
'
24
<html>
'
25
<head><title>Form-based HTTP Auth Login Test</title></head>
'
26
<body>
'
27
<h1><?php
'
28
if ('authenticate' === $username && 'successfully' == $password) {
'
29
echo "Auth Success!";
'
30
} elseif ($username || $password) {
'
31
echo "Auth Failure!";
'
32
} else {
'
33
echo "Form-based HTTP Auth Login Test";
'
34
}
'
35
?></h1>
'
36
'
37
<?php if ('POST' === $_SERVER['REQUEST_METHOD']) { ?>
'
38
<p>Have your credentials and some XSS.</p>
'
39
<p>Attempted to auth with <q><?php echo $username; ?></q> and <q><?php echo $password; ?></q>.</p>
'
40
<pre>HTTP Username: <?php echo $_SERVER['PHP_AUTH_USER'] . "\n"; ?>
'
41
HTTP Password: <?php echo $_SERVER['PHP_AUTH_PW'] . "\n"; ?>
'
42
POSTED: <?php print_r($_POST); ?></pre>
'
43
<?php } else { ?>
'
44
<p>For a successful authentication, try username "authenticate" with password "successfully". For a failing authentication, try username "fail" with password "whale".</p>
'
45
<?php } ?>
'
46
'
47
<form action='/login.php' method='post' class='http-authentication'>
2010-10-28 pix
48
<label for='theusername'>Username: <input type='text' name='username' id='theusername'></label>
2010-10-27 pix
49
<label for='thepassword'>Password: <input type='password' name='password' id='thepassword'></label>
04:18:01 '
50
<button type='submit' name='authme' value='yea'>Authenticate Me!</button>
'
51
</form>
'
52
'
53
<script src='/jquery.js'></script>
'
54
<script src='/form-to-http-auth.js'></script>
'
55
</body>
'
56
</html>