I've having trouble with $_POST variables not being received from forms within a PHP website.

To clarify the problem, I created this simple PHP script "POST_test.php":

<?
print "POST:<pre>";
print_r($_POST);
print "</pre>";
?>
<form method="POST" action="POST_test.php">
<input type="submit" value="Save Changes">
<input type="hidden" name="blah" value="1">
</form>

Let's say my Apache web root is folder "web_root", and my website folder is "websiteA". Putting the above script in "web_root/websiteA" and clicking the button in IE7 results in an empty $_POST array. Changing the name of the folder to "web_root/websiteA2" makes it start working, and it also works in other websites within the web root, such as "websiteB". There's no issue when using Firefox. Recently, NTLM authentication was enabled in our systems - I don't know whether this might make a difference.

Apache & PHP run on a server running (a somewhat old version of) Debian Linux.

I've also tried a ctrl-refresh of the page in IE, which didn't help, and neither did rebooting my PC.

Update: This forum post appears to describe the issue: http://lists.rubyonrails.org/pipermail/rails/2006-March/027283.html

1. You cannot post any data to mixed NTLM and non-NTLM authenticated Web sites. Microsoft Internet Explorer requires NTLM authentication for all visits to a website after you visit one NTLM authenticated folder of the website.

I can confirm this behaviour as follows:

When I visit http://mydomain/websiteA/index.php then http://mydomain/websiteA/POST_test.php $_POST is not populated by submitting the test page.

However, closing all my IE7 windows then browsing straight to http://mydomain/websiteA/POST_test.php shows $_POST IS populated by submitting the test page.

And one of the suggested solutions from the above linked forum post appears to be:

The only way I have seen to get IE to "forget" it has previously NTLM-authenticated to a site is to send a 401 page status. This effectively resets the IE authentication state.

Thanks for the suggestions.

It turned out that the problem was caused by a previous request to an unrelated page which made use of NTLM authentication like this (or similar):

<?php
  if (!isset($headers['Authorization'])){
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: NTLM');
    exit;
  }
?>

After that authentication was done, all $_POST data was received empty until IE was closed and re-opened. So far, I've worked around the issue by removing the above code and instead arranging for Apache to use NTLM within our Intranet (which sets the $_SERVER['REMOTE_USER'] variable). (Outside of our intranet, Apache authentication is still used).

After working so hard i have found a trick for this problem. I used the whole ntlm authentication code as a include file in my php where the authentication is done and after that i can not make any form POST because of mixed-ntlm and non-ntlm issues which probably change the headers of the page.

so what you have to do is just include the same ntlm authentication codes at the begining every pages of your site and that will do the trick.

PROBLEM IS SOLVED... :)

Hope this helps a lot of people.

Try to fill your "action" attibute because I don't think will actually work to leave this attribut empty in IE7.

This problem can be worked around by disabling pre-authentication in IE. In the registry:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

On the Edit menu, Add Value name DisableNTLMPreAuth as a type REG_DWORD and set the data value to 1 (true).

For more information see this bug report and Microsoft KB 251404.