Last active
September 28, 2017 06:14
-
-
Save ramsey/3a7c2465a43e145f7f03c75665ae2998 to your computer and use it in GitHub Desktop.
Demonstrate that Apache converts any response containing WWW-Authenticate to 401
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
header('HTTP/1.1 403 Forbidden'); | |
if (isset($_GET['authHeader']) && $_GET['authHeader'] == 1) { | |
header('WWW-Authenticate: Bearer realm="Foo"'); | |
} | |
echo "Hi!"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Using HTTPie to make requests from the command line: https://httpie.org/ | |
# | |
ramsey at luthien in ~ | |
$ http -v GET http://localhost/authenticate.php | |
GET /authenticate.php HTTP/1.1 | |
Accept: */* | |
Accept-Encoding: gzip, deflate | |
Connection: keep-alive | |
Host: localhost | |
User-Agent: HTTPie/0.9.9 | |
HTTP/1.1 403 Forbidden | |
Connection: keep-alive | |
Content-Length: 3 | |
Content-Type: text/html; charset=UTF-8 | |
Date: Thu, 28 Sep 2017 05:24:16 GMT | |
Server: Apache/2.4.27 PHP/7.0.21 | |
X-Powered-By: PHP/7.0.21 | |
Hi! | |
ramsey at luthien in ~ | |
$ http -v GET http://localhost/authenticate.php?authHeader=1 | |
GET /authenticate.php?authHeader=1 HTTP/1.1 | |
Accept: */* | |
Accept-Encoding: gzip, deflate | |
Connection: keep-alive | |
Host: localhost | |
User-Agent: HTTPie/0.9.9 | |
HTTP/1.1 401 Unauthorized | |
Connection: keep-alive | |
Content-Length: 3 | |
Content-Type: text/html; charset=UTF-8 | |
Date: Thu, 28 Sep 2017 05:16:37 GMT | |
Server: Apache/2.4.27 PHP/7.0.21 | |
WWW-Authenticate: Bearer realm="Foo" | |
X-Powered-By: PHP/7.0.21 | |
Hi! |
- Relevant Twitter thread: https://twitter.com/ramsey/status/913258814937473024
- Opened issue on PHP bug tracker: https://bugs.php.net/bug.php?id=75272
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I ran the same script using PHP's built-in web server, I noticed the same behavior. Turns out, PHP is responsible for this: https://github.com/php/php-src/blob/a51cb393b1accc29200e8f57ef867a6a47b2564f/main/SAPI.c#L829-L830