Lockdown access to controller via WWW-Authenticate

I wanted to try something (possibly) unconventional where I wanted to lock down access to an entire controller by using WWW-Authenticate in the init() function. Something very basic like:


<?php

class AdminController extends Controller

{

	public $layout = '/layouts/main';


	public function init()

	{

		parent::init();

		if (!isset($_SERVER['PHP_AUTH_USER'])) {

		    header('WWW-Authenticate: Basic realm="My Realm"');

		    header('HTTP/1.0 401 Unauthorized');

		    echo 'Text to send if user hits Cancel button';

		    exit;

		}

	}

I’ve noticed that I end up without the server variable $_SERVER[‘PHP_AUTH_USER’] after I enter and submit any username or password when prompted. Essentially, i’m bring prompted as expected but the user/pass I enter isn’t available when I print_r($_SERVER). In fact, nothing PHP_AUTH is. I am pretty sure this isn’t an issue with my host because I do this successfully (when not using Yii) on other sites.

Has anyone run into this and/or gotten around this any way?

There where a bugs about this on PHP 5.0.0. - https://bugs.php.net/bug.php?id=29132

If you use IIS check the note about the cgi.rfc2616 directive - http://php.net/manua...s.http-auth.php

NOTE: moved topic to Miscellaneous section as it’s not related to Yii

I’ll politely dispute this categorization and make the case for it being put back in the Yii category.

From the bug report (which i’m familiar with) this description does not match my issue:

I’m not seeing PHP_AUTH_PW either. On this server, which support 5.3.x, I’ve used WWW-Authenticate successfully. The server is CentOS and not IIS. I believe that this is related to Yii or how I’m using Yii and not an issue with PHP itself.

From your first post I understood that you don’t get any PHP_AUTH in the $_SERVER variable… so this IMO is something about PHP / apache… not about Yii as Yii does not do anything with those variables…

I would suggest you to write a simple PHP script (without Yii) so to see if then you get the needed $_SERVER variables.

I have done that as I mentioned. The fact that it works outside of Yii but seems to not work in Yii (i’ve only tried in the Controller so far) suggests to me that there could be something specific to Yii that’s preventing the expected $_SERVER variables from being available. I’m not sure if it has to do with the routing in Yii where the WWW-Authenticate submission doesn’t get passed along back to the Controller or if there is something else at play. I was hoping someone has tried this and been successful or thought of a clever way to make it work. Googling for similar scenarios has produced nothing so far.

Nothing done by default by Yii… it’s still something in your code…

I just put your init function in one of my controllers and it works… tryed to print the $_SERVER variable… and I’m getting the PHP_AUTH variable with values…

Try to create a new webapp with Yii and put your init function in SiteController then see if it works…

That’s actually really good to know so thanks for testing it. That points to something in my setup or configuration since that suggests it’s not an issue with Yii. Thanks. I got what I was looking for :)