Re: Basic Authentication problem

fiziwig wrote:
Hi,

I've written my first attempt at basic authentication and it doesn't
work. I thought I understood the specs, but I must be missing something
obvious. Can anyone give me a hint as to what might be going wrong. I
know the username and password are correct because I can log into the
site manually. Below is the code (with my customer's site-specific
stuff X'ed out) :

Thanks,
--gary

$fh = fsockopen('XXXXXXXXX.com', 80, $errno, $errstr, 30);
if($fh) {
$body =
'service=RemoveProspect&modifiers[responder]='.$group;
$body .= '&modifiers[email]='.$_POST['email'];
$body .= '&modifiers[ip]='.$ip_addr;
$request = 'POST /XXX/Webservice/PostServer/
HTTP/1.1'."\r\n"
.'Authorization: Basic
'.base64_encode("username:password")."\r\n"
.'Host: XXXXXXXXX.com'."\r\n"
.'Referer:
http://'.$_SERVER['SERVER_NAME']."\r\n"
."Content-Type:
application/x-www-form-urlencoded\r\n"
.'Content-length: '.strlen($body)."\r\n"
.'Connection: close'."\r\n\r\n"
.$body;
fwrite($fh, $request);
$response = '';
while(!feof($fh)) {
$response .= fread($fh, 1024);
}
fclose($fh);

The variable strings are OK because I can cut and paste them into the
URL when I log in manually and they are accepted. But the above code
always returns a 403, Not Authorized.



'Authorization: Basic '.base64_encode("username:password")."\r\n"

Are you putting your real username and password in here?

Also, don't know if it makes a difference - but I normally put the authorization header just before the content type.

If you're running Firefox, you can get the Live HTTP Headers extension for it. Print out your header and compare it to what you get when you try to access the page with Firefox. You should be able to see what the difference is.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

Relevant Pages

  • Re: IIS authentication (kerberos and Integrated security)
    ... Most challenge/response authentication protocols rely on a challenge being issues, and the client using that to develop a response which is sent back to the server. ... the client is *not* sending the correct authorization data to the server for the second request. ... WWW-Authenticate header? ...
    (microsoft.public.inetserver.iis.security)
  • Re: Alternative to username:password@domain
    ... sure of the syntax for adding a header to a WinInet web request, ... The basic authentication header is called "authorization" and looks like ... WinInet may also have built-in support for providing credentials and passing ... > Dear Joe, ...
    (microsoft.public.dotnet.security)
  • Re: Authorize HTTPHeader
    ... client <- server [ntlm response] connection left open ... as ntml requires keepalive, the auth header is not sent on every ... I can get the values easily enough, but the 'authorization' header ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authorization HTML Header going missing
    ... Authorization header) will come through if we enable basic authentication. ... Basic Authentication isn't turned on via IIS and there should be no need to ... > help capture the raw data send to IIS. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: IIS Authentication
    ... whatever) continues to send the same authorization data for every subsequent ... I was assuming that the server sends a cookie to maintain the session. ... But I don't see Set:Cookie in response header or Cookie in request header. ... Digest Authentication) is present. ...
    (microsoft.public.inetserver.iis.security)