#72 HTTP authentication hoses admin login


The admin code uses PHP's HTTP authentication handling
to prompt for a username and password. This does not
work correctly with the web server itself is configured
to enforce HTTP authentication. (In this case, the
password does not get passed to the PHP code.)

Here's an excerpts from a note on phpwiki-talk about
how to work around this problem:

From: Jeff Dairiki <dairiki@dairiki.org>
Cc: phpwiki-talk@lists.sourceforge.net
Subject: Re: [Phpwiki-talk] admin.php 1.2.1 problem
Date: Fri, 9 Nov 2001 11:53:33 -0800

For 1.2.x, I think the solution is to edit admin.php,
and delete or comment out the $adminpasswd checks.

if (empty($wikiadmin) || empty($adminpasswd)) {
if (empty($wikiadmin) / || empty($adminpasswd) /) {

if (($PHP_AUTH_USER != $wikiadmin ) ||
($PHP_AUTH_PW != $adminpasswd)) {
if (($PHP_AUTH_USER != $wikiadmin ) / ||
($PHP_AUTH_PW != $adminpasswd)
/ ) {

Also set $wikiadmin to the username who you'd like to
grant admin privileges to. I think (but I'm not
certain --- so this might be a security problem) that
as long as apache is doing the authentication,
$PHP_AUTH_USER will always be set the authenticated
user name.

For 1.3.x, at this point the solution is basically the
same, except you have to edit lib/WikiUser.php.

Comment out or delete line 148:
if (!empty($passwd) && $passwd == ADMIN_PASSWD)
(but leave the next line intact.)

At line 160, change:
if (!defined('ADMIN_USER') ||
|| ADMIN_USER == '' || ADMIN_PASSWD =='') {
if (!defined('ADMIN_USER') / ||
|| ADMIN_USER == '' / || ADMIN_PASSWD ==''
/) {

And, as before, set ADMIN_USER (in index.php) to be the
username to whom you want to grant administrative privs.

(I haven't tested this hack with 1.3.x, so if you have
trouble, let me know.)

At some point, we'll stop using HTTP authenication to
gather the username/passwd, and this problem will go
away. But we're not there yet.


  • Marc-Etienne Vargenau

    Closing very old bugs.

  • Marc-Etienne Vargenau

    • status: open --> closed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks