{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 手持菜刀,她持情操 的问题《What is the HTTP_AUTHORIZATION environment variabl》','https://www.manongdao.com/q-319351.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?
Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).
Usually, a user login form will POST to the server with POST variables such as
username=peter&password=123
so what is this HTTP_AUTHORIZATION about?
A detailed description of the HTTP Authorization header can be found in RFC2617, located at http://www.ietf.org/rfc/rfc2617.txt , section 3.2.2.
It might also be worth noting that the standard Joomla!
.htaccessfile has the following rule in it to set theHTTP_AUTHORIZATIONenvironment variable based on theAuthorizationheader in the request:Just so we're on the same page, a typical POST request looks something like this:
POST /some/page HTTP/1.1 <-- request line Host: www.example.com <-------------------\ User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers Content-Length: 27 <-------------------/ ... some other headers ... <-- blank line username=peter&password=123 <-- POST data, if anyThe environment variables beginning
HTTP_are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:The
Authorization:header used in a number of HTTP authentication mechanisms; the usual flow is:WWW-Authenticate:header containing a scheme and (sometimes) a challengeAuthorization:header containing a response to the challengeThe exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.