Demonstrate that Apache converts any response containing WWW-Authenticate to 401

authenticate.php

<?php

header('HTTP/1.1 403 Forbidden');

if (isset($_GET['authHeader']) && $_GET['authHeader'] == 1) {
    header('WWW-Authenticate: Bearer realm="Foo"');
}

echo "Hi!";

shell-output

#
# Using HTTPie to make requests from the command line: https://httpie.org/
#

ramsey at luthien in ~
$ http -v GET http://localhost/authenticate.php
GET /authenticate.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost
User-Agent: HTTPie/0.9.9



HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 3
Content-Type: text/html; charset=UTF-8
Date: Thu, 28 Sep 2017 05:24:16 GMT
Server: Apache/2.4.27 PHP/7.0.21
X-Powered-By: PHP/7.0.21

Hi!


ramsey at luthien in ~
$ http -v GET http://localhost/authenticate.php?authHeader=1
GET /authenticate.php?authHeader=1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost
User-Agent: HTTPie/0.9.9



HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 3
Content-Type: text/html; charset=UTF-8
Date: Thu, 28 Sep 2017 05:16:37 GMT
Server: Apache/2.4.27 PHP/7.0.21
WWW-Authenticate: Bearer realm="Foo"
X-Powered-By: PHP/7.0.21

Hi!

When I ran the same script using PHP's built-in web server, I noticed the same behavior. Turns out, PHP is responsible for this: https://github.com/php/php-src/blob/a51cb393b1accc29200e8f57ef867a6a47b2564f/main/SAPI.c#L829-L830

• Relevant Twitter thread: https://twitter.com/ramsey/status/913258814937473024
• Opened issue on PHP bug tracker: https://bugs.php.net/bug.php?id=75272