[pmwiki-users] RSS from authuser protected groups/pages

Wed Nov 30 12:42:51 CST 2005

On Wed, Nov 30, 2005 at 07:09:35PM +0100, bram wrote:
> >Do you have any sort of .htaccess file in place for Apache?
> ...
> However, the server I based my first reply on is completely password 
> protected using .htaccess. There I didin't have aby of these trouble :)

Ah, this was somewhat my original point -- the username:password feature
in urls is working here because you have Apache doing authentication
using .htaccess.  If Apache wasn't doing the authentication, you wouldn't
be able to get the username and password from PHP.

As an example, try http://hello:hello@www.pmichaud.com/sandbox/phpinfo.php,
and you'll see that the username/password *don't* appear in 
$_SERVER['PHP_AUTH_USER'] or $_SERVER['PHP_AUTH_PW'].  (This is
running Apache/1.3.33, PHP 4.3.11, with no .htaccess entries of note.)

However, if the application on the other end returns a 401 Unauthorized
response (as PmWiki does when httpauth.php is installed), then the 
browser resends the request with the appropriate authorization credentials
and Apache makes them available through the PHP_AUTH_USER and PHP_AUTH_PW
server variables.  

Unfortunately, sending back a 401 Unauthorized response doesn't work 
for a lot of (most?) RSS newsreaders, which don't understand HTTP Basic 
authentication.  It might work for Firefox-based newsreaders.

> The production host :
> Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.0 mod_ssl/2.8.25 OpenSSL/0.9.7b
> If I try
> http://hello:hello@www.brambring.nl/wiki/Test/RecentChanges
> using firefox I get some warnings but the login seems to work. No luck 
> with IE.

Interesting.  I know why IE doesn't work -- the use of "username:password"
in external references was disabled by SP2.  (It works if you enter
the username/password directly into the address bar, but if obtained
from another source then IE ignores it.)

I'm not sure why it's working in Firefox; my tests before never worked,
although I just tried it again and I'm getting inconclusive results.
It does depend on something sending back a 401 Unauthorized response,
but I can't quite figure out what is happening after that.

> With my test server I do not get the warnings from firefox. There is 
> more strang stuff, I can't logout anymore using action=logout.

I understand this entirely -- because the test server is using
.htaccess to protect the site, the browser is caching the username/
password pair as part of HTTP Basic authentication.  There's not really
a way for ?action=logout to tell the browser to forget this information;
with HTTP Basic authentication the only reliable way to log out is to
completely close all of the browser windows.

Pm