Wed Oct 27 04:18:01 UTC 2010 pix@kepibu.org

* Initial version

--- old-httpauth/login.php 1970-01-01 00:00:00.000000000 +0000

+++ new-httpauth/login.php 2015-04-15 14:59:12.000000000 +0000

@@ -0,0 +1,56 @@

+<?php

+

+if ('GET' === $_SERVER['REQUEST_METHOD']) {

+ header('HTTP/1.1 200 Log In Optional');

+ header('WWW-Authenticate: Basic Realm="Form-Based HTTP Auth Test"', false, 200);

+} else {

+ /* When authenticating, always check the POSTed credentials, and only if no

+ credentials were posted check the HTTP Auth credentials. There are several

+ edge cases which will result in there being both a set of POST credentials

+ and a set of HTTP credentials, and the two may not necessarily be the same.

+ Any time you get both, the POST credentials are the ones you can expect to

+ be the ones most recently supplied by the user.

+

+ You should also keep this in mind when dealing with actual sessions: just

+ because you're getting HTTP Auth credentials from the browser doesn't mean

+ you /should/ be. Not being able to tell the browser to forget credentials

+ is a real drag--if you're getting both HTTP Auth and a session cookie,

+ you've got to trust the cookie over the HA. */

+ $username = array_key_exists('username', $_POST) ? $_POST['username'] : $_SERVER['PHP_AUTH_USER'];

+ $password = array_key_exists('password', $_POST) ? $_POST['password'] : $_SERVER['PHP_AUTH_PW'];

+}

+

+?><!doctype html>

+<html>

+<head><title>Form-based HTTP Auth Login Test</title></head>

+<body>

+<h1><?php

+if ('authenticate' === $username && 'successfully' == $password) {

+ echo "Auth Success!";

+} elseif ($username || $password) {

+ echo "Auth Failure!";

+} else {

+ echo "Form-based HTTP Auth Login Test";

+}

+?></h1>

+

+<?php if ('POST' === $_SERVER['REQUEST_METHOD']) { ?>

+<p>Have your credentials and some XSS.</p>

+<p>Attempted to auth with <q><?php echo $username; ?></q> and <q><?php echo $password; ?></q>.</p>

+<pre>HTTP Username: <?php echo $_SERVER['PHP_AUTH_USER'] . "\n"; ?>

+HTTP Password: <?php echo $_SERVER['PHP_AUTH_PW'] . "\n"; ?>

+POSTED: <?php print_r($_POST); ?></pre>

+<?php } else { ?>

+<p>For a successful authentication, try username "authenticate" with password "successfully". For a failing authentication, try username "fail" with password "whale".</p>

+<?php } ?>

+

+<form action='/login.php' method='post' class='http-authentication'>

+<label for='theusername'>Username: <input type='textbox' name='username' id='theusername'></label>

+<label for='thepassword'>Password: <input type='password' name='password' id='thepassword'></label>

+<button type='submit' name='authme' value='yea'>Authenticate Me!</button>

+</form>

+

+<script src='/jquery.js'></script>

+<script src='/form-to-http-auth.js'></script>

+</body>

+</html>

\ No newline at end of file