Is there a way to have PHP redirect to a new page, and pass along HTTP-AUTH?
I have been using cURL, as the second example here: Sending basic authentication information via form
Unfortunately, when I do this, the actual URL [as displayed in the browser URL bar] remains the originating PHP's URL, not the target that I'm browsing.
Here is what I've got so far:
I have also tried replacing the tail end of the above:
if[$httpcode == 200]{
header["Authorization: Basic " . base64_encode[$userpass]];
header["Location: //website/directory/"];
}else{
header["Location: //website/login.php"];
}
But that fails; it redirects to //website.xyz/directory, but it does not pass in the user/pass, and I am presented with a login from the server upon arrival.
Technically, the following works. However, I'd much prefer a more graceful solution than passing user/pass inside the HREF:
header["Location: //" . $userpass . "website/directory/"];
A redirection in the HTTP protocol doesn't support adding any headers to the target location. It's basically just a header in itself and only allows for a URL.
It looks something like this:
HTTP/1.1 307 Temporary Redirect
Location: //appServer:5001/?key=value
When you are adding your x-authorization header with res.header['X-Authorization', 'Bearer ' + jwt] you are only sending that header back to the
client:
HTTP/1.1 307 Temporary Redirect
Location: //appServer:5001/?key=value
X-Authorization: ...
Some possible solutions:
If the servers share a common domain, create a cookie on a domain that spans both [e.g. create cookie on
domain.comif login is atauth.domain.comand the app atapp.domain.com]If you only need the JWT in your client JavaScript, consider adding it as a search param to the redirect URL. The search params won't be sent to the server when requesting a URL, so the token shouldn't end up in any logs.
res.redirect[307, `//appServer:5001/?key=value#token=${jwt}`]
const token = [new URL[document.location]].searchParams.get['token']
- If it's only one request, you could to the request from your server and pipe the response back.
// Simplified! http.request[`//appServer:5001/?key=value`, { 'Authorization': 'Bearer ' + jwt }].on['response', [response] => response.pipe[res]]
It is possible to use the header[] function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the
predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER array. Only "Basic" and "Digest" authentication methods are supported. See the header[] function for more information.
An example script fragment which would force client authentication on a page is as follows:
Example #1 Basic HTTP Authentication example