Wednesday, August 26, 2009

HTTP, Authentication, and PHP

I'm very frustrated right now. I want to make a restful service in PHP. I want it so that when you access a resource, https://server.com/foo.php, you are given a 'general public' view.

I also want it, so that if you supply credentials ala HTTP Basic Auth, you are given a user specific view.
That way, I can let things crawl my data, and if they have a user / pass, they can see more info.


Foolishly, I thought this would be trivial.

Problems:
1. Testing via https://user:pass@server.com/foo.php does not populate the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables.
2. User agents fight you if you use the above - Firefox bugs me about it.
3. PHP itself cannot capture the user:pass fragment of the URL as far as I can tell; so I can't even fake it.
4. User agents don't send credentials unless they get a challenge - so I need to write my own to send unasked for HTTP Basic Auth details, in order to populate the required variables. This means tools like wget make my restful service useless to crawl. PITA.
5. If I want to provide a 'login' page which does trigger the challenge / authenticate mechanism, I have to create it as a seperate page or an extra query bit in the URI. That's certainly not standardised.
Post a Comment