/
/login.php
 1 <?php
 2 
 3 if ('GET' === $_SERVER['REQUEST_METHOD']) {
 4   header('HTTP/1.1 200 Log In Optional');
 5   header('WWW-Authenticate: Basic Realm="Form-Based HTTP Auth Test"', false, 200);
 6 } else {
 7   /* When authenticating, always check the POSTed credentials, and only if no
 8      credentials were posted check the HTTP Auth credentials.  There are several
 9      edge cases which will result in there being both a set of POST credentials
10      and a set of HTTP credentials, and the two may not necessarily be the same.
11      Any time you get both, the POST credentials are the ones you can expect to
12      be the ones most recently supplied by the user.
13 
14      You should also keep this in mind when dealing with actual sessions: just
15      because you're getting HTTP Auth credentials from the browser doesn't mean
16      you /should/ be.  Not being able to tell the browser to forget credentials
17      is a real drag--if you're getting both HTTP Auth and a session cookie,
18      you've got to trust the cookie over the HA. */
19   $username = array_key_exists('username', $_POST) ? $_POST['username'] : $_SERVER['PHP_AUTH_USER'];
20   $password = array_key_exists('password', $_POST) ? $_POST['password'] : $_SERVER['PHP_AUTH_PW'];
21 }
22 
23 ?><!doctype html>
24 <html>
25 <head><title>Form-based HTTP Auth Login Test</title></head>
26 <body>
27 <h1><?php
28 if ('authenticate' === $username && 'successfully' == $password) {
29   echo "Auth Success!";
30 } elseif ($username || $password) {
31   echo "Auth Failure!";
32 } else {
33   echo "Form-based HTTP Auth Login Test";
34 }
35 ?></h1>
36 
37 <?php if ('POST' === $_SERVER['REQUEST_METHOD']) { ?>
38 <p>Have your credentials and some XSS.</p>
39 <p>Attempted to auth with <q><?php echo $username; ?></q> and <q><?php echo $password; ?></q>.</p>
40 <pre>HTTP Username: <?php echo $_SERVER['PHP_AUTH_USER'] . "\n"; ?>
41 HTTP Password: <?php echo $_SERVER['PHP_AUTH_PW'] . "\n"; ?>
42 POSTED: <?php print_r($_POST); ?></pre>
43 <?php } else { ?>
44 <p>For a successful authentication, try username "authenticate" with password "successfully".  For a failing authentication, try username "fail" with password "whale".</p>
45 <?php } ?>
46 
47 <form action='/login.php' method='post' class='http-authentication'>
48 <label for='theusername'>Username: <input type='text' name='username' id='theusername'></label>
49 <label for='thepassword'>Password: <input type='password' name='password' id='thepassword'></label>
50 <button type='submit' name='authme' value='yea'>Authenticate Me!</button>
51 </form>
52 
53 <script src='/jquery.js'></script>
54 <script src='/form-to-http-auth.js'></script>
55 </body>
56 </html>