[thelist] send HTTP authentication from PHP page?

Ken Schaefer ken.schaefer at gmail.com
Wed Oct 6 19:30:47 CDT 2004


On Wed, 06 Oct 2004 15:24:32 -0400, Theodore Serbinski
<tserbinski at washsq.com> wrote:
> > It seems like either one of us may have misunderstood the question.
> > It sounded to me like Theodore wanted to use PHP to get the contents
> > of another page which was protected by HTTP authentication.
> 
> Actually, I wasn't trying to get the contents of the file. Sorry for the
> ambiguity in my post.
> 
> When users are logged into our intranet, I want them to be able to goto
> our webmail address and be logged in automatically. Right now, when you
> click on our webmail link, MS Exchange asks for the username/password
> combo. I wanted to make this connection seamless in PHP which would
> already take their logged in username/password and send this to MS
> Exchange so they could see their mail without logging in again.
> 
> Looks like this won't work though, unless of course I'm implementing it
> wrong. Thanks!

Either I am misunderstanding what you want to do, or this conversation
is missing some fundamentals:

HTTP authentication works (generally - we'll come to exceptions later) thusly:
a) browser sends request for page to server
b) server denies request, lists acceptable authentication mechanisms (eg Basic)
c) browser ensures that it supports one or more of those
authentication mechanisms
d) browser prompts user for credentials
e) browser sends new request, with the users credentials included (or
digest or hash, or Kerberos ticket, or whatever)

Not that the decision to send the users credentials is taken by the
*browser* not the server. Generally, the first request for any
resource on a given server is anonymous, and only if the server denies
the request and states that it requires authentication does the
browser do anything further. Even then, the browser will prompt the
user for their credentials - otherwise, you'd have a security issue.
Namely, any malicious site could have Basic authentication enabled,
and the browser would send the users credentials off to the site in
/plain text/.

Anyway, because it is the browser that decides whether to send
credentials or not, it is impossible to, directly, influence this
using PHP running on some other server. Of course, you could use a PHP
page as a reverse proxy (where the PHP page uses the users credentials
to make a HTTP request to the Exchange server, gathers the response,
and returns this to the client), but that would be a fair amount of
work, and doesn't seem to be what you want.

So, how do you get around this?
a) well, you could use the technique mentioned by others - embedding
the username/password into the link to the Exchange server. But, as
mentioned this won't work in current versions of IE6. It is also a
path that I would *seriously* recommend against taking unless you do
your due diligence. You are embedding sensitive credentials, in plain
text, into an obvious, well known web page. If a user forgets to lock
their computer (or logoff) during lunch, anyone can come along, load
up the Intranet site, and get that user's username/password from the
link to the Exchange server that you've placed onto your Intranet
website.

b) This would be my preferred suggestion. Internet Explorer, by
default, is configured to automatically attempt to logon to sites
using the current Windows user /if/ the site is in the local Intranet
security zone. sites like http://servername are already in that zone.
You can add other sites either using logon scripts, Group Policy, or
by manually having the users do it. This would be a *much* more secure
way of accomplishing what you want. There's no need to embed any
credentials anywhere. You do need to be using NTLM or Kerberos
authentication for this to work (Basic is not acceptable). See:
http://support.microsoft.com/?id=258063

I hope this helps you solve your problem. For more information on IIS
authentication mechanisms, you might want to read this sample chapter
from the IIS6 security book that I co-authored. There's a couple of
mistakes in it, but the authentication section is pretty good IMHO:
http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf

Cheers
Ken


More information about the thelist mailing list