I'm trying to pass a basic HT开发者_运维技巧TP authentication from one subdomain to another as to not ask people to login twice.
The first subdomain is PHP capable, while the second is an ASP application. The ASP application is asking for a Basic HTTP Auth prompt (once submitted they have access to the web app), but my goal is to make it so it forces the correct login so it doesn't prompt the user and they can access the web app right away.
On the PHP side I've tried the following:
$base64value = base64_encode($value);
setcookie("Authorization",$base64value, time()+3600*24);
I've also successfully got the header Authentication, but it doesn't seem to pass it to the next page even when it's the same value
header('WWW-Authenticate: Basic realm="'.$base64value.'"');
I've also tried setting the domain with the cookie to no luck. Is it true that you can't pass HTTP Basic Authentication through a cookie? It seems like 2 different techniques.
Basic authentication uses the HTTP Header Authorization
that the web client computes, not a cookie. So yes, you cannot pass on authentication with this technique.
You need to re-design the authentication. You could look into reverse-proxying one of the sites behind the other, or set up a CAS service.
You don't want setcookie
; copying the authenticate header should be all you need:
header('Authorization: " . $_SERVER['AUTHORIZATION']);
Let me know if that works.
EDIT: Oh. Forget that. I thought you were proxying. Yeah, nothing to be done about that: you can't affect the Authorization header for a second domain from the server-side on the first domain.
You can generate all links with authentication if the user is already logged in:
<a href="https://<?php if (isset($_SERVER['PHP_AUTH_USER'])) {
echo $_SERVER['PHP_AUTH_USER'] . ":" . $_SERVER['PHP_AUTH__PW'] . "@";
?>subdomain.example.com/some/path/resource">Resource</a>
The above is untested but the idea is to send the credentials in the URL like this:
https://user:password@domain.com/path/to/resource
The beauty is that you are not even limited to sub-domains. I can think of many clever ways to automate this URL rewriting so you don't need to do it manually for each link in your website.
精彩评论