HTTP Basic Authentication passed to different subdomain_问答_开发者

HTTP Basic Authentication passed to different subdomain

开发者 https://www.devze.com 2023-03-03 11:55 出处：网络

I\'m trying to pass a basic HT开发者_运维技巧TP authentication from one subdomain to another as to not ask people to login twice.

I'm trying to pass a basic HT开发者_运维技巧TP authentication from one subdomain to another as to not ask people to login twice.

The first subdomain is PHP capable, while the second is an ASP application. The ASP application is asking for a Basic HTTP Auth prompt (once submitted they have access to the web app), but my goal is to make it so it forces the correct login so it doesn't prompt the user and they can access the web app right away.

On the PHP side I've tried the following:

$base64value = base64_encode($value);
setcookie("Authorization",$base64value, time()+3600*24);

I've also successfully got the header Authentication, but it doesn't seem to pass it to the next page even when it's the same value

header('WWW-Authenticate: Basic realm="'.$base64value.'"');

I've also tried setting the domain with the cookie to no luck. Is it true that you can't pass HTTP Basic Authentication through a cookie? It seems like 2 different techniques.

Basic authentication uses the HTTP Header Authorization that the web client computes, not a cookie. So yes, you cannot pass on authentication with this technique.

You need to re-design the authentication. You could look into reverse-proxying one of the sites behind the other, or set up a CAS service.

You don't want setcookie; copying the authenticate header should be all you need:

header('Authorization: " . $_SERVER['AUTHORIZATION']);

Let me know if that works.

EDIT: Oh. Forget that. I thought you were proxying. Yeah, nothing to be done about that: you can't affect the Authorization header for a second domain from the server-side on the first domain.

You can generate all links with authentication if the user is already logged in:

<a href="https://<?php if (isset($_SERVER['PHP_AUTH_USER'])) {
    echo $_SERVER['PHP_AUTH_USER'] . ":" . $_SERVER['PHP_AUTH__PW'] . "@";
?>subdomain.example.com/some/path/resource">Resource</a>

The above is untested but the idea is to send the credentials in the URL like this:

https://user:password@domain.com/path/to/resource

The beauty is that you are not even limited to sub-domains. I can think of many clever ways to automate this URL rewriting so you don't need to do it manually for each link in your website.