I am currently working on a project that I’ve decided to go with basic HTTP authorization at the admin area for simplicity, however the company I’m working for already has HTTP authorization on their staging server and I was wondering if it is possible to have double HTTP authorization? Looking at the headers I thought that the realm part is what defines where the user is authorized but if I implement it like that currently, after I enter my credentials for the staging server and then on my inner authorization something that looks like an infinite loop starts, the page never loads.
Is this possible at all or is there some kind of error in my code?
The code is pretty basic stuff:
function require_auth() {
if (!isset($_SESSION['auth'])) {
if ($_SERVER['PHP_AUTH_USER'] === '...' && $_SERVER['PHP_AUTH_PW'] === '...') {
return $_SESSION['auth'] = true;
} else {
header('WWW-Authenticate: Basic realm="uniquerealm"');
header('HTTP/1.0 401 Unauthorized');
}
exit('403 access denied');
}
}
Advertisement
Answer
If the HTTP request passes through multiple servers, such as a reverse proxy then an app server, you can use HTTP Basic Auth on each server provided that you accept the same username and password and report the same realm on each server that checks the auth. The realm partitions the URL space that the user sees into different areas, rather than identifying a particular server as I think your question is implying. I’ve successfully implemented Basic Auth in multiple layers in the past when all 3 pieces matched between servers.