HTTP-аутентификация в PHP

Возможно использовать функцию header() для отправки сообщения "Authentication Required" браузеру, заставив его показать окошко для ввода логина и пароля. Как только пользователь заполнит логин и пароль, ссылка, содержащая PHP-скрипт будет вызвана еще раз с предопределенными переменными PHP_AUTH_USER, PHP_AUTH_PW и AUTH_TYPE, установленными в логин, пароль и тип аутентификации соответственно. Эти предопределенные переменные хранятся в массиве $_SERVER. Поддерживаются оба типа: "Basic" и "Digest" (начиная с версии PHP 5.1.0). Подробнее смотрите функцию header().

Пример фрагмента скрипта, который вынуждает клиента авторизоваться для просмотра страницы:

Пример #1 Пример Basic HTTP-аутентификации

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    
header('WWW-Authenticate: Basic realm="My Realm"');
    
header('HTTP/1.0 401 Unauthorized');
    echo 
'Текст, отправляемый в том случае,
    если пользователь нажал кнопку Cancel'
;
    exit;
} else {
    echo 
"<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo 
"<p>Вы ввели пароль {$_SERVER['PHP_AUTH_PW']}.</p>";
}
?>

Пример #2 Пример Digest HTTP-аутентификации

Это пример реализации простого скрипта Digest HTTP-аутентификации. За подробностями обращайтесь к » RFC 2617.

<?php
$realm 
'Запретная зона';

//user => password
$users = array('admin' => 'mypass''guest' => 'guest');


if (empty(
$_SERVER['PHP_AUTH_DIGEST'])) {
    
header('HTTP/1.1 401 Unauthorized');
    
header('WWW-Authenticate: Digest realm="'.$realm.
           
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');

    die(
'Текст, отправляемый в том случае, если пользователь нажал кнопку Cancel');
}


// анализируем переменную PHP_AUTH_DIGEST
if (!($data http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset(
$users[$data['username']]))
    die(
'Неправильные данные!');


// генерируем корректный ответ
$A1 md5($data['username'] . ':' $realm ':' $users[$data['username']]);
$A2 md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

if (
$data['response'] != $valid_response)
    die(
'Неправильные данные!');

// все хорошо, логин и пароль верны
echo 'Вы вошли как: ' $data['username'];


// функция разбора заголовка http auth
function http_digest_parse($txt)
{
    
// защита от отсутствующих данных
    
$needed_parts = array('nonce'=>1'nc'=>1'cnonce'=>1'qop'=>1'username'=>1'uri'=>1'response'=>1);
    
$data = array();
    
$keys implode('|'array_keys($needed_parts));

    
preg_match_all('@(' $keys ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@'$txt$matchesPREG_SET_ORDER);

    foreach (
$matches as $m) {
        
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
        unset(
$needed_parts[$m[1]]);
    }

    return 
$needed_parts false $data;
}
?>

Замечание: Замечание касательно совместимости

Будьте особенно внимательны при указании HTTP-заголовков. Для того, чтобы гарантировать максимальную совместимость с наибольшим количеством различных клиентов, слово "Basic" должно быть написано с большой буквы "B", регион (realm) должен быть взят в двойные (не одинарные!) кавычки, и ровно один пробел должен предшествовать коду 401 в заголовке HTTP/1.0 401. Параметры аутентификации должны разделяться запятыми, как это было показано в примере Digest аутентификации выше.

Вместо простого отображения на экране переменных PHP_AUTH_USER и PHP_AUTH_PW, вам, возможно, понадобится проверить их корректность. Используйте для этого запрос к базе данных или поиск пользователя в dbm-файле.

Вы можете пронаблюдать особенности работы браузера Internet Explorer. Он очень требователен к параметру передаваемых заголовков. Трюк с указанием заголовка WWW-Authenticate перед отправкой статуса HTTP/1.0 401 пока что работает для него.

Для того, чтобы предотвратить написание кем-либо скрипта, раскрывающего пароль к странице, которая использует внешнюю аутентификацию, переменные PHP_AUTH не устанавливаются в случае, если данная страница использует внешнюю аутентификацию и установлен безопасный режим. Несмотря на это, переменная REMOTE_USER может использоваться для аутентификации пользователя, прошедшего внешнюю аутентификацию. Таким образом, вы всегда можете воспользоваться переменной $_SERVER['REMOTE_USER'].

Замечание: Замечание касательно конфигурации

PHP использует указание директивы AuthType для указания того, используется внешняя аутентификация или нет.

Следует заметить, что все вышесказанное не предотвращает похищения паролей к страницам, требующим авторизацию, кем-либо, кто контролирует страницы без авторизации, расположенные на том же сервере.

И Netscape Navigator и Internet Explorer очищают кеш аутентификации текущего окна для заданного региона (realm) при получении от сервера статуса 401. Это может использоваться для реализации принудительного выхода пользователя и повторного отображения диалогового окна для ввода имени пользователя и пароля. Некоторые разработчики используют это для ограничения авторизации по времени или для предоставления кнопки "Выход".

Пример #3 Пример HTTP-аутентификации с принудительным вводом новой пары логин/пароль

<?php
function authenticate() {
    
header('WWW-Authenticate: Basic realm="Test Authentication System"');
    
header('HTTP/1.0 401 Unauthorized');
    echo 
"Вы должны ввести корректный логин и пароль для получения доступа к ресурсу \n";
    exit;
}

if (!isset(
$_SERVER['PHP_AUTH_USER']) ||
    (
$_POST['SeenBefore'] == && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
    
authenticate();
} else {
    echo 
"<p>Добро пожаловать: " htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "<br />";
    echo 
"Предыдущий логин: " htmlspecialchars($_REQUEST['OldAuth']);
    echo 
"<form action='' method='post'>\n";
    echo 
"<input type='hidden' name='SeenBefore' value='1' />\n";
    echo 
"<input type='hidden' name='OldAuth' value=\"" htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "\" />\n";
    echo 
"<input type='submit' value='Авторизоваться повторно' />\n";
    echo 
"</form></p>\n";
}
?>

Это поведение не регламентируется стандартами HTTP Basic-аутентификации, следовательно, вы не должны зависеть от этого. Тестирование браузера Lynx показало, что Lynx не очищает кеш авторизации при получении от сервера статуса 401, и, нажав последовательно "Back", а затем "Forward" возможно открыть такую страницу, при условии, что требуемые атрибуты авторизации не изменились. Однако, пользователь может нажать клавишу '_' для очистки кеша аутентификации.

Для того, чтобы добиться корректной работы HTTP-аутентификации в IIS сервере с CGI версией PHP, вы должны отредактировать конфигурационную настройку IIS под названием "Directory Security". Щелкните на надписи "Edit" и установите опцию "Anonymous Access", все остальные поля должны остаться неотмеченными.

Замечание: Замечание касательно IIS:
Для того, чтобы HTTP-аутентификация корректно работала в IIS, в конфигурации PHP опция cgi.rfc2616_headers должна быть установлена значением 0 (значение по умолчанию).

Замечание:

В случае, если используется безопасный режим, UID текущего скрипта будет добавлен в realm-часть заголовка WWW-Authenticate.

add a note add a note

User Contributed Notes 44 notes

up
38
derkontrollfreak+9hy5l at gmail dot com
6 years ago
Workaround for missing Authorization header under CGI/FastCGI Apache:

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header.
up
40
webmaster at kratia dot com
13 years ago
This is the simplest form I found to do a Basic authorization with retries.

<?php

$valid_passwords
= array ("mario" => "carbonell");
$valid_users = array_keys($valid_passwords);

$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];

$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

if (!
$validated) {
 
header('WWW-Authenticate: Basic realm="My Realm"');
 
header('HTTP/1.0 401 Unauthorized');
  die (
"Not authorized");
}

// If arrives here, is a valid user.
echo "<p>Welcome $user.</p>";
echo
"<p>Congratulation, you are into the system.</p>";

?>
up
10
kazakevichilya at gmail dot com
8 years ago
In case of CGI/FastCGI you would hot be able to access PHP_AUTH* info because CGI protocol does not declare such variables (that is why their names start from PHP) and server would not pass them to the interpreter. In CGI server should authenticate user itself and pass REMOTE_USER to CGI script after it.

So you need to "fetch" request headers and pass them to your script somehow.

In apache you can do it via environment variables if mod_env is installed.

Following construction in .htaccess copies request header "Authorization" to the env variable PHP_AUTH_DIGEST_RAW

SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST_RAW=$1

You can now access it via $_ENV.

Do not forget to strip auth type ("Digest" in my case) from your env variable because PHP_AUTH_DIGEST does not have it.

If mod_env is not installed you probably have mod_rewrite (everyone has it because of "human readable URLs").

You can fetch header and pass it as GET parameter using rewrite rule:

RewriteRule ^.*$ site.php?PHP_AUTH_DIGEST_RAW=%{HTTP:Authorization} [NC,L]

Here HTTP request header Authorization would be acessible as PHP_AUTH_DIGEST_RAW via $_GET.

---
If you use ZF you probably use Zend_Auth_Adapter_Http to auth user.

It takes Authorization info using "Zend_Controller_Request::getHeader"
This method uses apache_request_header which is likely not to be accessible in old CGI/FastCGI installations or _$_SERVER['HTTP_<HeaderName>] , so you need to put your authentication data, obtained via _GET or ENV to
_$_SERVER['HTTP_AUTHORIZATION'].
It will make ZF work transparently with you solution and I believe any other framework should work also
up
9
Yuriy
11 years ago
Good day.
Sorry for my english.
This example shows programming "LOGIN", "LOGOUT" and "RE-LOGIN".
This script must use in the protected pages.
For work this script the browser address string must be following:
"http://localhost/admin/?login" - for Login,
"http://localhost/admin/?logout" - for Logout,
"http://localhost/admin/?logout&login" - for Re-Login.
<?php
session_start
();

$authorized = false;

# LOGOUT
if (isset($_GET['logout']) && !isset($_GET["login"]) && isset($_SESSION['auth']))
{
   
$_SESSION = array();
    unset(
$_COOKIE[session_name()]);
   
session_destroy();
    echo
"logging out...";
}

# checkup login and password
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
   
$user = 'test';
   
$pass = 'test';
    if ((
$user == $_SERVER['PHP_AUTH_USER']) && ($pass == ($_SERVER['PHP_AUTH_PW'])) && isset($_SESSION['auth']))
    {
   
$authorized = true;
    }
}

# login
if (isset($_GET["login"]) && !$authorized ||
# relogin
   
isset($_GET["login"]) && isset($_GET["logout"]) && !isset($_SESSION['reauth']))
{
   
header('WWW-Authenticate: Basic Realm="Login please"');
   
header('HTTP/1.0 401 Unauthorized');
   
$_SESSION['auth'] = true;
   
$_SESSION['reauth'] = true;
    echo
"Login now or forever hold your clicks...";
    exit;
}
$_SESSION['reauth'] = null;
?>
<h1>you have <? echo ($authorized) ? (isset($_GET["login"]) && isset($_GET["logout"]) ? 're' : '') : 'not '; ?>logged!</h1>
up
9
php at cscott dot net
16 years ago
Note that Microsoft has released a 'security update' which disables the use of username:password@host in http urls.

   http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

The methods described above which rely on this will no longer work in Microsoft browsers, sadly.

You can re-enable this functionality as described at

   http://weblogs.asp.net/cumpsd/archive/2004/02/07/69366.aspx

but your users will probably be unwilling to do this.
up
6
jake22 at gmail dot com
4 years ago
I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity.

Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution:

Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:

http://velocitypress.ca/some_dir/login.php/auth/8f631b92/

By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.

Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.

Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.
up
2
Carlos
2 years ago
Simpler WorkAround for missing Authorization header under CGI/FastCGI available in Apache HTTP Server 2.4.13 and later

     CGIPassAuth On

Please don't enable Authorization header with Basic Authentication, is very insecure.
up
7
Ome Ko
10 years ago
a link to http://logout:logout@<?=$_SERVER['HTTP_HOST'];?>/SECRET/ would force a fresh login for the /SECRET directory if no user logout with password logout exists.


[NOTE BY danbrown AT php DOT net: The following note was added by "Anonymous" on 01-APR-2010 (though we presume it's not an April Fool's Day joke).]

this logout method does not work 100% anymore, because of another bulls**t from M$:
http://support.microsoft.com/kb/834489
up
5
emmanuel dot keller at net2000 dot ch
17 years ago
Some servers won't support the HTTP1.0 specification and will give an error 500 (for instance). This happened with a server where I uploaded an authentication script.

If it happens, you can try the HTTP1.1 header syntax :

<?php
header
("WWW-Authenticate: Basic realm=\"My Realm\"");
header('status: 401 Unauthorized');
?>
up
7
Nicolas Merlet - admin(at)merletn.org
13 years ago
Be careful using http digest authentication (see above, example 34.2) if you have to use the 'setlocale' function *before* validating response with the 'http_digest_parse' function, because there's a conflict with \w in the pattern of 'preg_match_all' function :

In fact, as \w is supposed to be any letter or digit or the underscore character, you must not forgot that this may vary depending on your locale configuration (eg. it accepts accented letters in french)...

Due to this different pattern interpretation by the 'preg_match_all' function, the 'http_digest_parse' function will always return a false result if you have modified your locale (I mean if your locale accepts some extended characters, see http://fr.php.net/manual/en/reference.pcre.pattern.syntax.php for further information).

IMHO, I suggest you not to use setlocale before having your authentication completed...

PS : Here's a non-compatible setlocale declaration...
setlocale ( LC_ALL, 'fr_FR', 'fr', 'FR', 'french', 'fra', 'france', 'French', 'fr_FR.ISO8859-1' ) ;
up
5
Robb_Bean at gmx dot net
6 years ago
In the german example #2 (digest), the <?php $realm = "Geschützter Bereich"; ?>. As far as I have tested the umlaut ü is problematic, resulting in an password enter infinity loop. In my case it was written in UTF-8. So I suggest using only plain ASCII characters for the realm.
up
5
charly at towebs dot com
15 years ago
A simpler approach on the post of:
bernard dot paques at bigfoot dot com
24-Sep-2004 01:42

This is another "patch" to the PHP_AUTH_USER and PHP_AUTH_PW server variables problem running PHP as a CGI.

First of all don't forget this fragment of code in your .htaccess (it's the only thing you need to make it work with mod_rewrite):

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
</IfModule>

Then login.php

<?php
$a
= base64_decode( substr($_SERVER["REMOTE_USER"],6)) ;
if ( (
strlen($a) == 0) || ( strcasecmp($a, ":" )  == 0 ))
{
  
header( 'WWW-Authenticate: Basic realm="Private"' );
  
header( 'HTTP/1.0 401 Unauthorized' );
}
else
{
   list(
$name, $password) = explode(':', $a);
  
$_SERVER['PHP_AUTH_USER'] = $name;
  
$_SERVER['PHP_AUTH_PW']    = $password;

}

echo
'PHP_AUTH_USER =' . $_SERVER['PHP_AUTH_USER'] . '<br>';
echo
'PHP_AUTH_PW =' . $_SERVER['PHP_AUTH_PW'] . '<br>';
echo
'REMOTE_USER =' . $_SERVER['REMOTE_USER'] . '<br>';
?>

First, we decode the base64 encoded string discarding the first 6 characters of "Basic " and then we do a regular validation.
At the end of the script we print the variables to verify it's working. This should be ommited in the production version.

It's a variation of the script by Bernard Paques.
Thanks to him for that snippet.
up
8
ceo at l-i-e dot com
9 years ago
To force a logout with Basic Auth, you can change the Realm out from under them to a different Realm.

This forces a new set of credentials for a new "Realm" on your server.

You just need to track the Realm name with the user/pass and change it around to something new/random as they log in and out.

I believe that this is the only 100% guaranteed way to get a logout in HTTP Basic Auth, and if it were part of the docs a whole lot of BAD user-contributed comments here could be deleted.
up
5
SlamJam
13 years ago
I used Louis example (03-Jun-2006) and it works well for me (thanks).

However, I added some lines, to make sure, the user does only get the Authentification-Window a few times:

<?php
$realm
= mt_rand( 1, 1000000000)."@YourCompany";
$_SESSION['realm'] = $realm;

// In the beginning, when the realm ist defined:
$_SESSION['CountTrials'] = 1;
?>

And then when it comes to check the authentification (ZEND-Tutorial):

<?php

// Not more than 3 Trials
if (!$auth) {
  
$_SESSION['CountTrials']++;
   if (
$_SESSION['CountTrials'] == 4) {  
      
session_destroy() ;
      
header('Location: noentry.php');
       exit ;  
   } else {
      
header("WWW-Authenticate: Basic realm=".$_SESSION['realm']);
      
header("HTTP/1.0 401 Unauthorized");
       echo
'Authorization Required.';
       exit;
   }
} else {
         echo
'<P>You are authorized!</P>';
}
?>

noentry.php is slightely different from comeagain.php.
up
3
gbelyh at gmail dot com
13 years ago
Back to the autherisation in CGI mode. this is the full working example:

#  Create the .htaccess file with following contents:
# also you can use the condition (search at this page)
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

# In the beginning the script checking the authorization place the code:

$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ;

$userpass = explode(":", $userpass);

if (  count($userpass) == 2  ){
     #this part work not for all.
     #print_r($userpass);die; #<- this can help find out right username and password
     list($name, $password) = explode(':', $userpass);
     $_SERVER['PHP_AUTH_USER'] = $name;
     $_SERVER['PHP_AUTH_PW'] = $password;

}
up
4
Ollie L
10 years ago
I tried example 7, and at first I couldn't get it to work. It took me a while to spot that somewhere along the line, probably by the server, a seemingly random number was being added to the realm - so the valid_result variable wasn't calculated using the correct realm.

To get around this, or any similar problems, make the following changes to the example:

Around line 43 (44 if after next step ;) ):
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1, 'realm'=>1);

Before line 24:
$realm = $data['realm'];

These two steps get the real realm used for the authentication request, and substitute it into the "valid_response" query.

Hope this helps :)
up
4
admin at isprohosting dot com
13 years ago
There are .htaccess which actually works for us (cPanel + phpsuexec) unless others failed. Perhaps it may help someone.

# PHP (CGI mode) HTTP Authorization with ModRewrite:
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

Then you need small piece of php code to parse this line and then everything will work like with mod_php:

if (isset($_SERVER['HTTP_AUTHORIZATION']))
{
$ha = base64_decode( substr($_SERVER['HTTP_AUTHORIZATION'],6) );
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', $ha);
unset $ha;
}

Enjoy!
up
4
sjeffrey at inquesis dot com
18 years ago
To get it to work with IIS try using this code before setting your "$auth = 0" and the "if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW))"

<?php
//////////////////////////////////////////

if ($PHP_AUTH_USER == "" && $PHP_AUTH_PW == "" && ereg("^Basic ", $HTTP_AUTHORIZATION))
{
  list(
$PHP_AUTH_USER, $PHP_AUTH_PW) =
   
explode(":", base64_decode(substr($HTTP_AUTHORIZATION, 6)));
}

//////////////////////////////////////////
?>

It worked for me on IIS 5 and PHP 4 in ISAPI
up
4
sergio dot carvalho at gmail dot com
5 years ago
The only effective way I've found to wipe out the PHP_AUTH_DIGEST or PHP_AUTH_USER AND PHP_AUTH_PW credentials is to call the header HTTP/1.1 401 Unauthorized.

function clear_admin_access(){
    header('HTTP/1.1 401 Unauthorized');
    die('Admin access turned off');
}
up
2
Anonymous
11 years ago
The regex in http_digest_parse from Example #2 does not work for me (PHP 5.2.6), because back references are not allowed in a character class.  This worked for me:

<?php

// function to parse the http auth header
function http_digest_parse($txt)
{
  
// protect against missing data
  
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
  
$data = array();

  
preg_match_all('@(\w+)=(?:(?:\'([^\']+)\'|"([^"]+)")|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);

   foreach (
$matches as $m) {
      
$data[$m[1]] = $m[2] ? $m[2] : ($m[3] ? $m[3] : $m[4]);
       unset(
$needed_parts[$m[1]]);
   }

   return
$needed_parts ? false : $data;
}

?>
up
3
snagnever at gmail dot com
15 years ago
It forces a auth each time the page is accessed:
(maybe can save someone)

<?
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
header("Pragma: no-cache");
session_cache_limiter("public, no-store");
session_start();

function http_auth()
{
    $_SESSION['AUTH'] = 1;
    header('HTTP/1.0 401 Unauthorized');
    header('WWW-Authenticate: Basic realm="sn4g auth system"');
    // The actions to be done when the user clicks on 'cancel'
    exit();
}

if( !isset($_SERVER['PHP_AUTH_USER']) or @$_SESSION['AUTH'] != 1 )
{
    http_auth();
    exit();
}

// Actions do be done when the user has logged

// rest, must clean the session array
$_SESSION = array();
session_destroy();
?>
up
4
xsanychx at mail dot ru
7 years ago
New auth:

<?php
$login
= 'test_login';
$pass = 'test_pass';

if((
$_SERVER['PHP_AUTH_PW']!= $pass || $_SERVER['PHP_AUTH_USER'] != $login)|| !$_SERVER['PHP_AUTH_USER'])
{
   
header('WWW-Authenticate: Basic realm="Test auth"');
   
header('HTTP/1.0 401 Unauthorized');
    echo
'Auth failed';
    exit;
}
?>
up
3
Louis
14 years ago
I couldn't get authentication to work properly with any of the examples. Finally, I started from ZEND's tutorial example at:
http://www.zend.com/zend/tut/authentication.php?article=authentication (validate using .htpasswd) and tried to deal with the additional cases. My general conclusion is that changing the realm is the only reliable way to cause the browser to ask again, and I like to thank the person who put that example in the manual, as it got me on the right path. No matter what, the browser refuses to discard the values that it already has in mind otherwise. The problem with changing the realm, of course, is that you don't want to do it within a given session, else it causes a new request for a password. So, here goes, hopefully the spacing isn't too messed up by the cut'n'paste.

I spent the better part of a day getting this to work right. I had a very hard time thinking through what the browser does when it encounters an authentication request: seems to me that it tries to get the password, then reloads the page... so the HTML doesn't get run. At least, this was the case with IE, I haven't tested it with anything else.

<?php
session_start
() ;
if (!isset(
$_SESSION['realm'])) {
       
$_SESSION['realm'] = mt_rand( 1, 1000000000 ).
               
" SECOND level: Enter your !!!COMPANY!!! password.";

       
header( "WWW-Authenticate: Basic realm=".$_SESSION['realm'] );

       
//  Below here runs HTML-wise only if there isn't a $_SESSION,
        // and the browser *can't* set $PHP_AUTH_USER... normally
        // the browser, having gotten the auth info, runs the page
        // again without getting here.
        //  What I'm basically getting to is that the way to get
        // here is to escape past the login screen. I tried
        // putting a session_destroy() here originally, but the
        // problem is that the PHP runs regardless, so the
        // REFRESH seems like the best way to deal with it.
       
echo "<meta http-equiv=\"REFRESH\"
                content=\"0;url=index.php\">"
;
        exit;
        }

if (
$_POST['logout'] == "logout") {
       
session_destroy() ;
       
header('Location: comeagain.php');
        exit ;
        }

// "standard" authentication code here, from the ZEND tutorial above.

comeagain.php is as follows:

<?
session_start();
unset(
$_SESSION['realm']);
session_destroy();
echo
"<html><head><title>Logged Out</title><h1>Logout Page</h1><body>" ;
echo
"You have successfully logged out of TOGEN";
echo
" at ".date("h:m:s")." on ".date("d F Y") ;
echo
"<p><a href=\"index.php\">Login Again</a>" ;
echo
"</body></html>" ;
?>

The idea is to be able to trash the session (and thus reset the realm) without prompting the browser to ask again... because it has been redirected to logout.php.

With this combination, I get things to work. Just make sure not to have apache run htpasswd authentication at the same time, then things get really weird :-).
up
2
john_2232 at gmail dot com
4 years ago
Here is my attempt to create a digest authentication class that will log the user in and out without using a cookie,session,db,or file. At the core is this simple code to parse the digest string into variables works for several browsers.
<?php
// explode the digest with multibrowser support by Tony Wyatt 21jun07
public function explodethedigest($instring) {
$quote = '"';
$equal = '=';
$comma = ',';
$space = ' ';
$a = explode( $comma, $instring);
$ax = explode($space, $a[0]);
$b = explode( $equal, $ax[1], 2);
$c = explode( $equal, $a[1], 2);
$d = explode( $equal, $a[2], 2);
$e = explode( $equal, $a[3], 2);
$f = explode( $equal, $a[4], 2);
$g = explode( $equal, $a[5], 2);
$h = explode( $equal, $a[6], 2);
$i = explode( $equal, $a[7], 2);
$j = explode( $equal, $a[8], 2);
$k = explode( $equal, $a[9], 2);
$l = explode( $equal, $a[10], 2);
$parts = array(trim($b[0])=>trim($b[1], '"'), trim($c[0])=>trim($c[1], '"'), trim($d[0])=>trim($d[1], '"'), trim($e[0])=>trim($e[1], '"'), trim($f[0])=>trim($f[1], '"'), trim($g[0])=>trim($g[1], '"'), trim($h[0])=>trim($h[1], '"'), trim($i[0])=>trim($i[1], '"'), trim($j[0])=>trim($j[1], '"'), trim($k[0])=>trim($k[1], '"'), trim($l[0])=>trim($l[1], '"'));

return
$parts;
}
?>
Give it a try at http://www.creativetheory.ca/ /tests/ta1.php Log in with user test password pass or user guest password guest. Go to page two for links to the code. Comments, ideas, suggestions, or critique welcome.
up
3
Lars Stecken
12 years ago
To anybody who tried the digest example above and didn't get it to work.

For me the problem seemed to be the deprecated use of '\' (backslash) in the regex instead of the '$' (Dollar) to indicate a backreference. Also the results have to be trimmed off the remaining double and single quotes.

Here's the working example:

// function to parse the http auth header
function http_digest_parse($txt)
{
   
    // protect against missing data
    $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
    $data = array();

    preg_match_all('@(\w+)=(?:([\'"])([^$2]+)$2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
   
    foreach ($matches as $m) {
        $data[$m[1]] = $m[3] ? trim($m[3],"\",'") : trim($m[4],"\",'");
        unset($needed_parts[$m[1]]);
    }
   
    return $needed_parts ? false : $data;
}

Probably there's a more sophisticated way to trim the quotes within the regex, but I couldn't be bothered :-)

Greets, Lars
up
3
jason
16 years ago
on the php+mysql auth code by tigran at freenet dot am

There are some security weaknesses.

First
$user
  and
$pass

are both insecure, they could leave this code open to SQL injection, you should always remove invalid characters in both, or at least encode them.

Actually storing passwords as MD5 hashes leaves you less work to secure.

Second security risks
The same mysql user has rights to both update and select, and possibly even insert and on your auth database no less.
Again the SQL inject attack may occur with this., and the end user could then change the users username, password, or anything else in relation to this.

Third items is more of a performance issue,
 
Do you really need to update the database, as updates are slower then selects, and if you do them every time they access the page, you are costing some speed penalty. 

One option, if you want to use sql (I think mysql has it) is memory only databases, and create a table within memory, the stores a unique session identifier for each user, that is logged in, or alternatively if it's a single front end system, you could use db files.
up
3
rob at theblip dot com
16 years ago
Regarding HTTP authentication in IIS with the php cgi 4.3.4, there's one more step. I searched mightily and didn't find this information anywhere else, so here goes. When using HTTP auth with the php CGI, you need to do the following things:

1. In your php.ini file, set "cgi.rfc2616_headers = 0"

2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the "Anonymous access" checkbox and uncheck any other checkboxes (i.e. uncheck "Basic authentication," "Integrated Windows authentication," and "Digest" if it's enabled.) Click OK.

3. In "Custom Errors", select the range of "401;1" through "401;5" and click the "Set to Default" button.

It's this last step that is crucial, yet not documented anywhere. If you don't, instead of the headers asking for credentials, IIS will return its own fancy but useless 'you are not authenticated' page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER['PHP_AUTH_*'] elements.
up
2
dan223 at gmail dot com
4 years ago
A simple script for SSL Client Certificate authentication with a basic authentication fall-back. I use this on my site using LDAP server to check username/passwords and client certificate to user mapping.

<?
// Check if and how we are authenticated
if ($_SERVER['SSL_CLIENT_VERIFY'] != "SUCCESS") { // Not using a client certificate
    if ((!$_SERVER['PHP_AUTH_USER']) && (!$_SERVER['PHP_AUTH_PW'])) { // Not logged in using basic authentication
        authenticate(); // Send basic authentication headers
    }
}

if ($_SERVER['SSL_CLIENT_S_DN_CN'] != "chris") { // Check CN name of cert

    if (!(($_SERVER['PHP_AUTH_USER'] == "test") && ($_SERVER['PHP_AUTH_PW'] == "123"))) { // Check username and password
        authenticate(); // Send basic authentication headers because username and/or password didnot match
    }
}

phpinfo();

// Call authentication display
function authenticate() {
    Header("WWW-Authenticate: Basic realm=Website");
        Header("HTTP/1.0 401 Unauthorized");
        error401();
        exit;
}
?>

See my website (http://velocitypress.ca/index.php?page=/manuals/) for more details on client certificate with Apache and PHP.
up
2
roychri at php dot net
13 years ago
For PHP with CGI, make sure you put the rewrite rule above any other rewrite rule you might have.

In my case, I put this at the top of the .htaccess (below RewriteEngine On):
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

My symptom was that the REMOTE_USER (or REDIRECT_REMOTE_USER in my case) was not being set at all.
The cause: I had some other RewriteRule that was kickin in and was set as LAST rule.
I hope this helps.
up
2
najprogramato at post dot sk
16 years ago
Don't use apache authentification in plain text. Is more better to use own script to generete new ID which is relevant to password. Apache auth data are sent to every page, so the posible mistake are known.
up
2
kembl at example dot com
14 years ago
# PHP (CGI mode) HTTP Authorization with ModRewrite:
# most right example with header check for non empty:
RewriteEngine on
RewriteCond %{HTTP:Authorization}  !^$
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}, \
E=PHP_AUTH_USER:%{HTTP:Authorization},L]
up
3
djreficul at yahoo dot com
14 years ago
Well, I think it's easy to make authentification works correctly. I use a session var to force authentication everytime a user visit the logging area.

<?php
if (!isset ($_SESSION['firstauthenticate'])) {
   
session_start();
}
  function
authenticate() {
   
header('WWW-Authenticate: Basic realm="Sistema autentificacin UnoAutoSur"');
   
header('HTTP/1_0 401 Unauthorized');
//    header("Status: 401 Access Denied");
   
echo "Unauthorized\n";
    exit;
  }
if (!isset(
$_SERVER['PHP_AUTH_USER']) || strcmp ($_SERVER['PHP_AUTH_USER'],$user)!=0 ||
      !isset (
$_SERVER['PHP_AUTH_PW']) || strcmp($_SERVER['PHP_AUTH_PW'],$pass)!=0 || !isset ($_SESSION['firstauthenticate']) || !$_SESSION['firstauthenticate']) {
    
$_SESSION['firstauthenticate']=true;
  
authenticate();
} else {
           
//I destroy the session var now
   
session_unset();
           
//Your code below
}
?>
up
2
Paul
16 years ago
Here is a extremely easy way to successfully logout.

<?php
if ( $realm == '' )
$realm = mt_rand( 1, 1000000000 );
   
header( 'WWW-Authenticate: Basic realm='.$realm );
?>

To log the user out simply change the value of $realm
up
2
vog at notjusthosting dot com
8 years ago
You shouldn't use the "last" ("L") directive in the RewriteRule! This will prevent all further rewrite rules to be skipped whenever a Basic or Digest Auth is given, which is almost certainly not what you want.

So the following lines are sufficient for the .htaccess (or httpd.conf) file:

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
up
2
h3ndrik
8 years ago
On my configuration with php-cgi - after setting the RewriteRule - the correct variable would be: $_SERVER['REDIRECT_HTTP_AUTHORIZATION']

So the workaround for PhpCGI is:
Set in your .htaccess:

RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]

Php workaround:
<?php
//set http auth headers for apache+php-cgi work around
if (isset($_SERVER['HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches)) {
    list(
$name, $password) = explode(':', base64_decode($matches[1]));
   
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
   
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}

//set http auth headers for apache+php-cgi work around if variable gets renamed by apache
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {
    list(
$name, $password) = explode(':', base64_decode($matches[1]));
   
$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
   
$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}
?>
up
2
web at kwi dot dk
14 years ago
While Digest authentication is still far superior to Basic authentication, there are a number of security issues that one must keep in mind.

In this respect, the Digest example given above is somewhat flawed, because the nonce never times out or otherwise become invalid. It thus becomes a password-equivalent (although to that specific URL only) and can be used by an eavesdropper to fetch the page at any time in the future, thus allowing the attacker to always access the latest version of the page, or (much worse) repeatedly invoke a CGI script -- for instance, if the user requests the URL "/filemanager?delete=somefile", the attacker can repeat this deletion at any point in the future, possibly after the file has been recreated.

And while it might not be possible to change GET data without reauthentication, cookies and POST data *can* be changed.

To protect against the first problem, the nonce can be made to include a timestamp, and a check added to ensure that nonces older than e.g. 30 minutes result in a new authentication request.

To solve the second problem, a one-time only nonce needs to be generated -- that is, all further requests using a particular nonce must be refused.

One way to do this: When the user requests an action such as "deletefile", store a randomly generated nonce in a session variable, issue a 401 authentication challenge with that nonce, and then check against the stored value when receiving the authentication (and clear the session variable).

This way, although a possible eavesdropper receives the nonce and thus gains the ability to perform the action, he can only perform it once -- and the user was going to perform it anyway. (Only the user or the attacker, but not both, gets to perform the action, so it's safe.)

Of course, at some point, the security can only be improved by switching to HTTPS / SSL / TLS (this is for instance the only way to defend against man-in-the-middle attacks). You decide the level of security.
up
1
nuno at mail dot ideianet dot pt
16 years ago
In Windows 2003 Server/IIS6 with the php4+ cgi I only get HTTP authentication working with:
<?php header("Status: 401 Access Denied"); ?>
with
<?php header('HTTP/1.0 401 Unauthorized'); ?>
doesn't work !
I also need in "Custom Errors" to select the range of "401;1" through "401;5" and click the "Set to Default" button.
Thanks rob at theblip dot com
up
2
marco dot moser at oltrefersina dot it
14 years ago
I suggest to demand user's authentication and management to the web server (by .htaccess, ...):

1. configure a global /logon/ directory with a .htaccess file restricted access

2. use fopen wrapper:

  $hh = @fopen("http://{$_SERVER['PHP_AUTH_USER']}:{$_SERVER['PHP_AUTH_PW']}".
    @{$_SERVER['SERVER_NAME']}/logon/", "r");
  if (!$hh) authenticate(); // usual header WWW-Authenticate ...
  fclose($hh);
up
1
steuber at aego dot de
16 years ago
Quite a good solution for the logout problem:

Just tell browser that it is successfully logged in!
This works as follows:
1. User clicks logout button
2. Script sends 401 Header
3. User does NOT enter a password
4. If no password is entered, script sends 200 Header

So the browser remembers no password as a valid password.

Example:

<?php
if (
       (!isset(
$_SERVER['PHP_AUTH_USER']))
    ||(
           (
$_GET["login"]=="login")
    && !(
             (
$_SERVER['PHP_AUTH_USER']=="validuser")
             && (
$_SERVER['PHP_AUTH_PW']=="validpass")
           )
        )
    ||(
           (
$_GET["logout"]=="logout")
     && !(
$_SERVER['PHP_AUTH_PW']=="")
        )
     ) {
Header("WWW-Authenticate: Basic realm=\"Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo
"Not logged out...<br>\n";
echo
"<a href=\"index.php?login=login\">Login</a>";
exit;
} else if (
$_SERVER['PHP_AUTH_PW']=="") {
echo
"Logged out...<br>\n";
echo
"<a href=\"index.php?login=login\">Login</a>";
exit;
}
?>
up
1
idbobby at rambler dot ru
10 years ago
First of all, sorry for my English.
One more authorization script with logout solution.
In script given by meint_at_meint_dot_net (http://www.php.net/manual/en/features.http-auth.php#93859) rewrite_module is used. If there are any problems with that module and possibilities of administration of the web-server are restricted (including restrictions for use of .htaccess) then you can use this solution.

index.php
---------

<?php

$auth_realm
= 'My realm';

require_once
'auth.php';

echo
"You've logged in as {$_SESSION['username']}<br>";
echo
'<p><a href="?action=logOut">LogOut</a></p>'

?>

auth.php
--------

<?php

$_user_
= 'test';
$_password_ = 'test';

session_start();

$url_action = (empty($_REQUEST['action'])) ? 'logIn' : $_REQUEST['action'];
$auth_realm = (isset($auth_realm)) ? $auth_realm : '';

if (isset(
$url_action)) {
    if (
is_callable($url_action)) {
       
call_user_func($url_action);
    } else {
        echo
'Function does not exist, request terminated';
    };
};

function
logIn() {
    global
$auth_realm;

    if (!isset(
$_SESSION['username'])) {
        if (!isset(
$_SESSION['login'])) {
           
$_SESSION['login'] = TRUE;
           
header('WWW-Authenticate: Basic realm="'.$auth_realm.'"');
           
header('HTTP/1.0 401 Unauthorized');
            echo
'You must enter a valid login and password';
            echo
'<p><a href="?action=logOut">Try again</a></p>';
            exit;
        } else {
           
$user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';
           
$password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '';
           
$result = authenticate($user, $password);
            if (
$result == 0) {
               
$_SESSION['username'] = $user;
            } else {
               
session_unset($_SESSION['login']);
               
errMes($result);
                echo
'<p><a href="">Try again</a></p>';
                exit;
            };
        };
    };
}

function
authenticate($user, $password) {
    global
$_user_;
    global
$_password_;

    if ((
$user == $_user_)&&($password == $_password_)) { return 0; }
    else { return
1; };
}

function
errMes($errno) {
    switch (
$errno) {
        case
0:
            break;
        case
1:
            echo
'The username or password you entered is incorrect';
            break;
        default:
            echo
'Unknown error';
    };
}

function
logOut() {

   
session_destroy();
    if (isset(
$_SESSION['username'])) {
       
session_unset($_SESSION['username']);
        echo
"You've successfully logged out<br>";
        echo
'<p><a href="?action=logIn">LogIn</a></p>';
    } else {
       
header("Location: ?action=logIn", TRUE, 301);
    };
    if (isset(
$_SESSION['login'])) { session_unset($_SESSION['login']); };
    exit;
}

?>
up
0
patrick dot moire at socopa dot fr
3 months ago
Samples Login / Logout script

login.php :

<?php

   
// Initisalition
   
if ($_COOKIE["SESSION"]=='') {
       
setcookie("SESSION", 'AUTH', 0,'/');
       
   
// Identification perdu (time-out ou logoff)
   
} else if ($_SERVER['PHP_AUTH_USER']!='' && $_COOKIE["USER_SESSION"]=='') {
       
$_SERVER['PHP_AUTH_USER'] = '';
    }

   
// Controle identification à la base
   
$ident = executeSQL("SELECT * FROM UTILISATEURS WHERE upper(IDENTIFIANT)=Upper('".$_SERVER['PHP_AUTH_USER']."')");
    if (
$_SERVER['PHP_AUTH_USER']!='' && strtoupper($ident['IDENTIFIANT'])==strtoupper($_SERVER['PHP_AUTH_USER']) && $ident['MOT_DE_PASSE']==$_SERVER['PHP_AUTH_PW']) {
       
$user = $_SERVER['PHP_AUTH_USER'];
       
setcookie("USER_SESSION", $user, time()+300,'/'); // 5 Minutes !
   
    // Mot de passe incorecte : demande identification
   
} else {
       
setcookie("SESSION", '', 1,'/');
       
header('WWW-Authenticate: Basic realm="My Realm"');
       
header('HTTP/1.0 401 Unauthorized');
        die;
    }
   
?>
<html>
    <body >

        Bonjour <?php echo $ident['NOM'].' '.$ident['PRENOM']; ?>
        <br>
        <br>
        <a href="http://logout.php">Deconnexion</a>
    </body>
</html>

logout.php :

<?php
setcookie
("USER_SESSION", '', 1,'/');
header('Location: http://login.php');
?>
up
0
s dot i dot g at gmx dot com
11 years ago
<?php

// try to mimic cpanel logout style
// only diff is usr & pwd field is cleared when re-login
// tested with ff2 & ie8

session_start();

$username = "test";
$password = "test";

if(isset(
$_GET['logout']))
{
  unset(
$_SESSION["login"]);
  echo
"You have logout ... ";
  echo
"[<a href='" . $_SERVER['PHP_SELF'] . "'>Login</a>]";
  exit;
}

if (!isset(
$_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($_SESSION["login"]))
{
 
header("WWW-Authenticate: Basic realm=\"Test\"");
 
header("HTTP/1.0 401 Unauthorized");
 
$_SESSION["login"] = true;
  echo
"You are unauthorized ... ";
  echo
"[<a href='" . $_SERVER['PHP_SELF'] . "'>Login</a>]";
  exit;
}
else
{
  if(
$_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password)
  {
    echo
"You have logged in ... ";
    echo
"[<a href='" . $_SERVER['PHP_SELF'] . "?logout'>Logout</a>]";
  }
  else
  {
    unset(
$_SESSION["login"]);
   
header("Location: " . $_SERVER['PHP_SELF']);
  }
}

// content here

?>
up
0
Whatabrain
13 years ago
Back to the problem of authenticating in CGI mode... mcbethh suggested using this to set a local variable in php:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

It didn't work. I couldn't see the variable. My solution is pretty round-about, but it works:

RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{QUERY_STRING} =""
RewriteRule ^page.php$ page.php?login=%{HTTP:Authorization}$1

This causes the Auth string to be added to the URL if there are no parameters and it's a GET request. This prevents POSTs and parameter lists from being corrupted.

Then, in the PHP script, I store the Auth string as a session cookie.

So the only way to log in to my script is to go to the url with no parameters.
up
-2
siberion at hotmail dot com
15 years ago
I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity.

Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution:

Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:

http://www.example.com/some_dir/login.php/auth/8f631b92/

By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.

Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.

Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.

Hope this helps somebody.
To Top phpinfo()
PHP logo

PHP Version 7.2.24-0ubuntu0.18.04.3

System Linux dedic161270.fastvps-server.com 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64
Build Date Feb 11 2020 15:55:52
Server API Apache 2.0 Handler
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php/7.2/apache2
Loaded Configuration File /etc/php/7.2/apache2/php.ini
Scan this dir for additional .ini files /etc/php/7.2/apache2/conf.d
Additional .ini files parsed /etc/php/7.2/apache2/conf.d/00-ioncube.ini, /etc/php/7.2/apache2/conf.d/10-mysqlnd.ini, /etc/php/7.2/apache2/conf.d/10-opcache.ini, /etc/php/7.2/apache2/conf.d/10-pdo.ini, /etc/php/7.2/apache2/conf.d/15-xml.ini, /etc/php/7.2/apache2/conf.d/20-calendar.ini, /etc/php/7.2/apache2/conf.d/20-ctype.ini, /etc/php/7.2/apache2/conf.d/20-curl.ini, /etc/php/7.2/apache2/conf.d/20-dom.ini, /etc/php/7.2/apache2/conf.d/20-exif.ini, /etc/php/7.2/apache2/conf.d/20-fileinfo.ini, /etc/php/7.2/apache2/conf.d/20-ftp.ini, /etc/php/7.2/apache2/conf.d/20-gd.ini, /etc/php/7.2/apache2/conf.d/20-gettext.ini, /etc/php/7.2/apache2/conf.d/20-iconv.ini, /etc/php/7.2/apache2/conf.d/20-json.ini, /etc/php/7.2/apache2/conf.d/20-mbstring.ini, /etc/php/7.2/apache2/conf.d/20-mysqli.ini, /etc/php/7.2/apache2/conf.d/20-pdo_mysql.ini, /etc/php/7.2/apache2/conf.d/20-phar.ini, /etc/php/7.2/apache2/conf.d/20-posix.ini, /etc/php/7.2/apache2/conf.d/20-readline.ini, /etc/php/7.2/apache2/conf.d/20-shmop.ini, /etc/php/7.2/apache2/conf.d/20-simplexml.ini, /etc/php/7.2/apache2/conf.d/20-sockets.ini, /etc/php/7.2/apache2/conf.d/20-sysvmsg.ini, /etc/php/7.2/apache2/conf.d/20-sysvsem.ini, /etc/php/7.2/apache2/conf.d/20-sysvshm.ini, /etc/php/7.2/apache2/conf.d/20-tokenizer.ini, /etc/php/7.2/apache2/conf.d/20-wddx.ini, /etc/php/7.2/apache2/conf.d/20-xmlreader.ini, /etc/php/7.2/apache2/conf.d/20-xmlrpc.ini, /etc/php/7.2/apache2/conf.d/20-xmlwriter.ini, /etc/php/7.2/apache2/conf.d/20-xsl.ini, /etc/php/7.2/apache2/conf.d/20-zip.ini
PHP API 20170718
PHP Extension 20170718
Zend Extension 320170718
Zend Extension Build API320170718,NTS
PHP Extension Build API20170718,NTS
Debug Build no
Thread Safety disabled
Zend Signal Handling enabled
Zend Memory Manager enabled
Zend Multibyte Support provided by mbstring
IPv6 Support enabled
DTrace Support available, disabled
Registered PHP Streamshttps, ftps, compress.zlib, php, file, glob, data, http, ftp, phar, zip
Registered Stream Socket Transportstcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2
Registered Stream Filterszlib.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, convert.iconv.*
Zend logo This program makes use of the Zend Scripting Language Engine:
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with the ionCube PHP Loader + ionCube24 v10.3.9, Copyright (c) 2002-2019, by ionCube Ltd.
    with Zend OPcache v7.2.24-0ubuntu0.18.04.3, Copyright (c) 1999-2018, by Zend Technologies

Configuration

apache2handler

Apache Version Apache/2.4.29 (Ubuntu)
Apache API Version 20120211
Server Administrator admin@liceystil.ru
Hostname:Port liceystil.ru:0
User/Group www-data(33)/33
Max Requests Per Child: 4000 - Keep Alive: on - Max Per Connection: 100
Timeouts Connection: 300 - Keep-Alive: 5
Virtual Server Yes
Server Root /etc/apache2
Loaded Modules core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_actions mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_cgi mod_cgid mod_deflate mod_dir mod_env mod_expires mod_fcgid mod_filter mod_mime mpm_itk prefork mod_negotiation mod_php7 mod_proxy mod_proxy_fcgi mod_reqtimeout mod_rewrite mod_rpaf mod_setenvif mod_status mod_suexec mod_vhost_alias mod_headers
DirectiveLocal ValueMaster Value
engine11
last_modified00
xbithack00

Apache Environment

VariableValue
HTTPS on
REMOTE_USER no value
TZ Europe/Moscow
HTTP_HOST liceystil.ru
HTTP_X_REAL_IP 18.213.192.104
HTTP_X_FORWARDED_FOR 18.213.192.104
HTTP_X_FORWARDED_PORT 443
HTTP_X_FORWARDED_PROTO https
HTTP_CONNECTION close
HTTP_USER_AGENT CCBot/2.0 (https://commoncrawl.org/faq/)
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.5
HTTP_ACCEPT_ENCODING br,gzip
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SERVER_SIGNATURE <address>Apache/2.4.29 (Ubuntu) Server at liceystil.ru Port 443</address>
SERVER_SOFTWARE Apache/2.4.29 (Ubuntu)
SERVER_NAME liceystil.ru
SERVER_ADDR 127.0.0.1
SERVER_PORT 443
REMOTE_ADDR 18.213.192.104
DOCUMENT_ROOT /var/www/liceystil.ru/data/www/liceystil.ru
REQUEST_SCHEME https
CONTEXT_PREFIX no value
CONTEXT_DOCUMENT_ROOT /var/www/liceystil.ru/data/www/liceystil.ru
SERVER_ADMIN admin@liceystil.ru
SCRIPT_FILENAME /var/www/liceystil.ru/data/www/liceystil.ru/ftest.php
REMOTE_PORT 55346
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.0
REQUEST_METHOD GET
QUERY_STRING no value
REQUEST_URI /ftest.php
SCRIPT_NAME /ftest.php

HTTP Headers Information

HTTP Request Headers
HTTP Request GET /ftest.php HTTP/1.0
Host liceystil.ru
X-Real-IP 18.213.192.104
X-Forwarded-For 18.213.192.104
X-Forwarded-Port 443
X-Forwarded-Proto https
Connection close
User-Agent CCBot/2.0 (https://commoncrawl.org/faq/)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-US,en;q=0.5
Accept-Encoding br,gzip
HTTP Response Headers
Vary Accept-Encoding
Content-Encoding gzip

calendar

Calendar support enabled

Core

PHP Version 7.2.24-0ubuntu0.18.04.3
DirectiveLocal ValueMaster Value
allow_url_fopenOnOn
allow_url_includeOffOff
arg_separator.input&&
arg_separator.output&&
auto_append_fileno valueno value
auto_globals_jitOnOn
auto_prepend_fileno valueno value
browscapno valueno value
default_charsetUTF-8UTF-8
default_mimetypetext/htmltext/html
disable_classesno valueno value
disable_functionspcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
display_errorsOffOff
display_startup_errorsOffOff
doc_rootno valueno value
docref_extno valueno value
docref_rootno valueno value
enable_dlOffOff
enable_post_data_readingOnOn
error_append_stringno valueno value
error_logno valueno value
error_prepend_stringno valueno value
error_reporting2252722527
expose_phpOffOff
extension_dir/usr/lib/php/20170718/usr/lib/php/20170718
file_uploadsOnOn
hard_timeout22
highlight.comment#FF8000#FF8000
highlight.default#0000BB#0000BB
highlight.html#000000#000000
highlight.keyword#007700#007700
highlight.string#DD0000#DD0000
html_errorsOnOn
ignore_repeated_errorsOffOff
ignore_repeated_sourceOffOff
ignore_user_abortOffOff
implicit_flushOffOff
include_path.:/usr/share/php.:/usr/share/php
input_encodingno valueno value
internal_encodingno valueno value
log_errorsOnOn
log_errors_max_len10241024
mail.add_x_headerOnOff
mail.force_extra_parametersno valueno value
mail.logno valueno value
max_execution_time12030
max_file_uploads2020
max_input_nesting_level6464
max_input_time6060
max_input_vars100001000
memory_limit128M128M
open_basedirno valueno value
output_buffering40964096
output_encodingno valueno value
output_handlerno valueno value
post_max_size100M8M
precision1414
realpath_cache_size4096K4096K
realpath_cache_ttl120120
register_argc_argvOffOff
report_memleaksOnOn
report_zend_debugOnOn
request_orderGPGP
sendmail_fromno valueno value
sendmail_path/usr/sbin/sendmail -t -i -f 'admin@liceystil.ru'/usr/sbin/sendmail -t -i 
serialize_precision-1-1
short_open_tagOnOff
SMTPlocalhostlocalhost
smtp_port2525
sys_temp_dirno valueno value
track_errorsOffOff
unserialize_callback_funcno valueno value
upload_max_filesize100M2M
upload_tmp_dir/var/www/liceystil.ru/data/tmpno value
user_dirno valueno value
user_ini.cache_ttl300300
user_ini.filename.user.ini.user.ini
variables_orderGPCSGPCS
xmlrpc_error_number00
xmlrpc_errorsOffOff
zend.assertions-1-1
zend.detect_unicodeOnOn
zend.enable_gcOnOn
zend.multibyteOffOff
zend.script_encodingno valueno value
zend.signal_checkOffOff

ctype

ctype functions enabled

curl

cURL support enabled
cURL Information 7.58.0
Age 4
Features
AsynchDNS Yes
CharConv No
Debug No
GSS-Negotiate No
IDN Yes
IPv6 Yes
krb4 No
Largefile Yes
libz Yes
NTLM Yes
NTLMWB Yes
SPNEGO Yes
SSL Yes
SSPI No
TLS-SRP Yes
HTTP2 Yes
GSSAPI Yes
KERBEROS5 Yes
UNIX_SOCKETS Yes
PSL Yes
Protocols dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtmp, rtsp, smb, smbs, smtp, smtps, telnet, tftp
Host x86_64-pc-linux-gnu
SSL Version OpenSSL/1.1.1
ZLib Version 1.2.11

date

date/time support enabled
timelib version 2017.09
"Olson" Timezone Database Version 0.system
Timezone Database internal
Default timezone Europe/Moscow
DirectiveLocal ValueMaster Value
date.default_latitude31.766731.7667
date.default_longitude35.233335.2333
date.sunrise_zenith90.58333390.583333
date.sunset_zenith90.58333390.583333
date.timezoneEurope/Moscowno value

dom

DOM/XML enabled
DOM/XML API Version 20031129
libxml Version 2.9.4
HTML Support enabled
XPath Support enabled
XPointer Support enabled
Schema Support enabled
RelaxNG Support enabled

exif

EXIF Support enabled
EXIF Version 7.2.24-0ubuntu0.18.04.3
Supported EXIF Version 0220
Supported filetypes JPEG, TIFF
Multibyte decoding support using mbstring enabled
Extended EXIF tag formats Canon, Casio, Fujifilm, Nikon, Olympus, Samsung, Panasonic, DJI, Sony, Pentax, Minolta, Sigma, Foveon, Kyocera, Ricoh, AGFA, Epson
DirectiveLocal ValueMaster Value
exif.decode_jis_intelJISJIS
exif.decode_jis_motorolaJISJIS
exif.decode_unicode_intelUCS-2LEUCS-2LE
exif.decode_unicode_motorolaUCS-2BEUCS-2BE
exif.encode_jisno valueno value
exif.encode_unicodeISO-8859-15ISO-8859-15

fileinfo

fileinfo support enabled
version 1.0.5
libmagic 531

filter

Input Validation and Filtering enabled
Revision $Id: 5a34caaa246b9df197f4b43af8ac66a07464fe4b $
DirectiveLocal ValueMaster Value
filter.defaultunsafe_rawunsafe_raw
filter.default_flagsno valueno value

ftp

FTP support enabled
FTPS support enabled

gd

GD Support enabled
GD headers Version 2.2.5
GD library Version 2.2.5
FreeType Support enabled
FreeType Linkage with freetype
FreeType Version 2.8.1
GIF Read Support enabled
GIF Create Support enabled
JPEG Support enabled
libJPEG Version 8
PNG Support enabled
libPNG Version 1.6.34
WBMP Support enabled
XPM Support enabled
libXpm Version 30411
XBM Support enabled
WebP Support enabled
DirectiveLocal ValueMaster Value
gd.jpeg_ignore_warning11

gettext

GetText Support enabled

hash

hash support enabled
Hashing Engines md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256 sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b fnv132 fnv1a32 fnv164 fnv1a64 joaat haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
MHASH support Enabled
MHASH API Version Emulated Support

iconv

iconv support enabled
iconv implementation glibc
iconv library version 2.27
DirectiveLocal ValueMaster Value
iconv.input_encodingno valueno value
iconv.internal_encodingno valueno value
iconv.output_encodingno valueno value

ionCube Loader

ionCube Loader developed by ionCube Ltd.
Visit ioncube.com for latest Loaders and support.
This Loader also includes features for real-time error reporting and malware protection. Visit ioncube24.com for more details.
Loader version 10.3.9
ionCube24 features unconfigured
DirectiveLocal ValueMaster Value
ic24.api.log_msg_errors00
ic24.api.max_timeout77
ic24.api_access_key****************
ic24.api_check_ip11
ic24.enable00
ic24.home_dirno valueno value
ic24.phperr.enableautoauto
ic24.phperr.ignore00
ic24.sec.block_stdin11
ic24.sec.block_uploaded_files11
ic24.sec.enableautoauto
ic24.sec.exclusion_key****************
ic24.sec.initial_actionblockblock
ic24.sec.initial_cache_all11
ic24.sec.initial_notifyalwaysalways
ic24.sec.initial_state11
ic24.sec.stop_on_error11
ic24.sec.trusted_include_paths****************
ic24.slt77
ic24.update_domains_retry_interval3030
ioncube.loader.encoded_pathsno valueno value

json

json support enabled
json version 1.6.0

libxml

libXML support active
libXML Compiled Version 2.9.4
libXML Loaded Version 20904
libXML streams enabled

mbstring

Multibyte Support enabled
Multibyte string engine libmbfl
HTTP input encoding translation disabled
libmbfl version 1.3.2
oniguruma version 6.3.0
mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.
Multibyte (japanese) regex support enabled
Multibyte regex (oniguruma) backtrack check On
Multibyte regex (oniguruma) version 6.3.0
DirectiveLocal ValueMaster Value
mbstring.detect_orderno valueno value
mbstring.encoding_translationOffOff
mbstring.func_overload20
mbstring.http_inputno valueno value
mbstring.http_outputno valueno value
mbstring.http_output_conv_mimetypes^(text/|application/xhtml\+xml)^(text/|application/xhtml\+xml)
mbstring.internal_encodingno valueno value
mbstring.languageneutralneutral
mbstring.strict_detectionOffOff
mbstring.substitute_characterno valueno value

mysqli

MysqlI Supportenabled
Client API library version mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $
Active Persistent Links 0
Inactive Persistent Links 0
Active Links 0
DirectiveLocal ValueMaster Value
mysqli.allow_local_infileOffOff
mysqli.allow_persistentOnOn
mysqli.default_hostno valueno value
mysqli.default_port33063306
mysqli.default_pwno valueno value
mysqli.default_socketno valueno value
mysqli.default_userno valueno value
mysqli.max_linksUnlimitedUnlimited
mysqli.max_persistentUnlimitedUnlimited
mysqli.reconnectOffOff
mysqli.rollback_on_cached_plinkOffOff

mysqlnd

mysqlndenabled
Version mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $
Compression supported
core SSL supported
extended SSL supported
Command buffer size 4096
Read buffer size 32768
Read timeout 86400
Collecting statistics Yes
Collecting memory statistics No
Tracing n/a
Loaded plugins mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_sha256_password
API Extensions mysqli,pdo_mysql
mysqlnd statistics
bytes_sent 0
bytes_received 0
packets_sent 0
packets_received 0
protocol_overhead_in 0
protocol_overhead_out 0
bytes_received_ok_packet 0
bytes_received_eof_packet 0
bytes_received_rset_header_packet 0
bytes_received_rset_field_meta_packet 0
bytes_received_rset_row_packet 0
bytes_received_prepare_response_packet 0
bytes_received_change_user_packet 0
packets_sent_command 0
packets_received_ok 0
packets_received_eof 0
packets_received_rset_header 0
packets_received_rset_field_meta 0
packets_received_rset_row 0
packets_received_prepare_response 0
packets_received_change_user 0
result_set_queries 0
non_result_set_queries 0
no_index_used 0
bad_index_used 0
slow_queries 0
buffered_sets 0
unbuffered_sets 0
ps_buffered_sets 0
ps_unbuffered_sets 0
flushed_normal_sets 0
flushed_ps_sets 0
ps_prepared_never_executed 0
ps_prepared_once_executed 0
rows_fetched_from_server_normal 0
rows_fetched_from_server_ps 0
rows_buffered_from_client_normal 0
rows_buffered_from_client_ps 0
rows_fetched_from_client_normal_buffered 0
rows_fetched_from_client_normal_unbuffered 0
rows_fetched_from_client_ps_buffered 0
rows_fetched_from_client_ps_unbuffered 0
rows_fetched_from_client_ps_cursor 0
rows_affected_normal 0
rows_affected_ps 0
rows_skipped_normal 0
rows_skipped_ps 0
copy_on_write_saved 0
copy_on_write_performed 0
command_buffer_too_small 0
connect_success 0
connect_failure 0
connection_reused 0
reconnect 0
pconnect_success 0
active_connections 0
active_persistent_connections 0
explicit_close 0
implicit_close 0
disconnect_close 0
in_middle_of_command_close 0
explicit_free_result 0
implicit_free_result 0
explicit_stmt_close 0
implicit_stmt_close 0
mem_emalloc_count 0
mem_emalloc_amount 0
mem_ecalloc_count 0
mem_ecalloc_amount 0
mem_erealloc_count 0
mem_erealloc_amount 0
mem_efree_count 0
mem_efree_amount 0
mem_malloc_count 0
mem_malloc_amount 0
mem_calloc_count 0
mem_calloc_amount 0
mem_realloc_count 0
mem_realloc_amount 0
mem_free_count 0
mem_free_amount 0
mem_estrndup_count 0
mem_strndup_count 0
mem_estrdup_count 0
mem_strdup_count 0
mem_edupl_count 0
mem_dupl_count 0
proto_text_fetched_null 0
proto_text_fetched_bit 0
proto_text_fetched_tinyint 0
proto_text_fetched_short 0
proto_text_fetched_int24 0
proto_text_fetched_int 0
proto_text_fetched_bigint 0
proto_text_fetched_decimal 0
proto_text_fetched_float 0
proto_text_fetched_double 0
proto_text_fetched_date 0
proto_text_fetched_year 0
proto_text_fetched_time 0
proto_text_fetched_datetime 0
proto_text_fetched_timestamp 0
proto_text_fetched_string 0
proto_text_fetched_blob 0
proto_text_fetched_enum 0
proto_text_fetched_set 0
proto_text_fetched_geometry 0
proto_text_fetched_other 0
proto_binary_fetched_null 0
proto_binary_fetched_bit 0
proto_binary_fetched_tinyint 0
proto_binary_fetched_short 0
proto_binary_fetched_int24 0
proto_binary_fetched_int 0
proto_binary_fetched_bigint 0
proto_binary_fetched_decimal 0
proto_binary_fetched_float 0
proto_binary_fetched_double 0
proto_binary_fetched_date 0
proto_binary_fetched_year 0
proto_binary_fetched_time 0
proto_binary_fetched_datetime 0
proto_binary_fetched_timestamp 0
proto_binary_fetched_string 0
proto_binary_fetched_json 0
proto_binary_fetched_blob 0
proto_binary_fetched_enum 0
proto_binary_fetched_set 0
proto_binary_fetched_geometry 0
proto_binary_fetched_other 0
init_command_executed_count 0
init_command_failed_count 0
com_quit 0
com_init_db 0
com_query 0
com_field_list 0
com_create_db 0
com_drop_db 0
com_refresh 0
com_shutdown 0
com_statistics 0
com_process_info 0
com_connect 0
com_process_kill 0
com_debug 0
com_ping 0
com_time 0
com_delayed_insert 0
com_change_user 0
com_binlog_dump 0
com_table_dump 0
com_connect_out 0
com_register_slave 0
com_stmt_prepare 0
com_stmt_execute 0
com_stmt_send_long_data 0
com_stmt_close 0
com_stmt_reset 0
com_stmt_set_option 0
com_stmt_fetch 0
com_deamon 0
bytes_received_real_data_normal 0
bytes_received_real_data_ps 0

openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.1.1 11 Sep 2018
OpenSSL Header Version OpenSSL 1.1.1 11 Sep 2018
Openssl default config /usr/lib/ssl/openssl.cnf
DirectiveLocal ValueMaster Value
openssl.cafileno valueno value
openssl.capathno valueno value

pcre

PCRE (Perl Compatible Regular Expressions) Support enabled
PCRE Library Version 8.39 2016-06-14
PCRE JIT Support enabled
DirectiveLocal ValueMaster Value
pcre.backtrack_limit10000001000000
pcre.jit11
pcre.recursion_limit100000100000

PDO

PDO supportenabled
PDO drivers mysql

pdo_mysql

PDO Driver for MySQLenabled
Client API version mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $
DirectiveLocal ValueMaster Value
pdo_mysql.default_socket/var/run/mysqld/mysqld.sock/var/run/mysqld/mysqld.sock

Phar

Phar: PHP Archive supportenabled
Phar EXT version 2.0.2
Phar API version 1.1.1
SVN revision $Id: f1155e62742ca367e521a3e412667d8ee34eead9 $
Phar-based phar archives enabled
Tar-based phar archives enabled
ZIP-based phar archives enabled
gzip compression enabled
bzip2 compression disabled (install pecl/bz2)
Native OpenSSL support enabled
Phar based on pear/PHP_Archive, original concept by Davey Shafik.
Phar fully realized by Gregory Beaver and Marcus Boerger.
Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.
DirectiveLocal ValueMaster Value
phar.cache_listno valueno value
phar.readonlyOnOn
phar.require_hashOnOn

posix

Revision $Id: 0a764bab332255746424a1e6cfbaaeebab998e4c $

readline

Readline Supportenabled
Readline library EditLine wrapper
DirectiveLocal ValueMaster Value
cli.pagerno valueno value
cli.prompt\b \> \b \> 

Reflection

Reflectionenabled
Version $Id: 012f23982d9d94728b4da252b9f21f9de8afd4df $

session

Session Support enabled
Registered save handlers files user
Registered serializer handlers php_serialize php php_binary wddx
DirectiveLocal ValueMaster Value
session.auto_startOffOff
session.cache_expire180180
session.cache_limiternocachenocache
session.cookie_domainno valueno value
session.cookie_httponlyno valueno value
session.cookie_lifetime00
session.cookie_path//
session.cookie_secure00
session.gc_divisor10001000
session.gc_maxlifetime14401440
session.gc_probability00
session.lazy_writeOnOn
session.namePHPSESSIDPHPSESSID
session.referer_checkno valueno value
session.save_handlerfilesfiles
session.save_path/var/www/liceystil.ru/data/tmp/var/lib/php/sessions
session.serialize_handlerphpphp
session.sid_bits_per_character55
session.sid_length2626
session.upload_progress.cleanupOnOn
session.upload_progress.enabledOnOn
session.upload_progress.freq1%1%
session.upload_progress.min_freq11
session.upload_progress.namePHP_SESSION_UPLOAD_PROGRESSPHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefixupload_progress_upload_progress_
session.use_cookies11
session.use_only_cookies11
session.use_strict_mode00
session.use_trans_sid00

shmop

shmop support enabled

SimpleXML

Simplexml supportenabled
Revision $Id: 341daed0ee94ea8f728bfd0ba4626e6ed365c0d1 $
Schema support enabled

sockets

Sockets Support enabled

sodium

sodium supportenabled
libsodium headers version 1.0.16
libsodium library version 1.0.16

SPL

SPL supportenabled
Interfaces OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, CallbackFilterIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveCallbackFilterIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException

standard

Dynamic Library Support enabled
Path to sendmail /usr/sbin/sendmail -t -i -f 'admin@liceystil.ru'
DirectiveLocal ValueMaster Value
assert.active11
assert.bail00
assert.callbackno valueno value
assert.exception00
assert.quiet_eval00
assert.warning11
auto_detect_line_endings00
default_socket_timeout6060
fromno valueno value
session.trans_sid_hostsno valueno value
session.trans_sid_tagsa=href,area=href,frame=src,form=a=href,area=href,frame=src,form=
url_rewriter.hostsno valueno value
url_rewriter.tagsform=form=
user_agentno valueno value

sysvmsg

sysvmsg support enabled
Revision $Id: 73c7c7668de72405a739f837dc62fd6ce8e5eba6 $

sysvsem

Version 7.2.24-0ubuntu0.18.04.3

sysvshm

Version 7.2.24-0ubuntu0.18.04.3

tokenizer

Tokenizer Support enabled

wddx

WDDX Supportenabled
WDDX Session Serializer enabled

xml

XML Support active
XML Namespace Support active
libxml2 Version 2.9.4

xmlreader

XMLReader enabled

xmlrpc

core library version xmlrpc-epi v. 0.54
php extension version 7.2.24-0ubuntu0.18.04.3
author Dan Libby
homepage http://xmlrpc-epi.sourceforge.net
open sourced by Epinions.com

xmlwriter

XMLWriter enabled

xsl

XSL enabled
libxslt Version 1.1.29
libxslt compiled against libxml Version 2.9.4
EXSLT enabled
libexslt Version 1.1.29

Zend OPcache

Opcode Caching Up and Running
Optimization Enabled
SHM Cache Enabled
File Cache Disabled
Startup OK
Shared memory model mmap
Cache hits 746125
Cache misses 6015
Used memory 106312120
Free memory 26016136
Wasted memory 1889472
Interned Strings Used memory 8388600
Interned Strings Free memory 8
Cached scripts 3385
Cached keys 3447
Max keys 16229
OOM restarts 0
Hash keys restarts 0
Manual restarts 0
DirectiveLocal ValueMaster Value
opcache.blacklist_filename/opt/opcache-blacklists/opcache-*.blacklistno value
opcache.consistency_checks00
opcache.dups_fixOffOff
opcache.enableOnOn
opcache.enable_cliOffOff
opcache.enable_file_overrideOffOff
opcache.error_logno valueno value
opcache.file_cacheno valueno value
opcache.file_cache_consistency_checks11
opcache.file_cache_only00
opcache.file_update_protection22
opcache.force_restart_timeout180180
opcache.huge_code_pagesOffOff
opcache.inherited_hackOnOn
opcache.interned_strings_buffer88
opcache.lockfile_path/tmp/tmp
opcache.log_verbosity_level11
opcache.max_accelerated_files10000010000
opcache.max_file_size00
opcache.max_wasted_percentage55
opcache.memory_consumption128128
opcache.opt_debug_level00
opcache.optimization_level0x7FFFBFFF0x7FFFBFFF
opcache.preferred_memory_modelno valueno value
opcache.protect_memory00
opcache.restrict_apino valueno value
opcache.revalidate_freq02
opcache.revalidate_pathOffOff
opcache.save_comments11
opcache.use_cwdOnOn
opcache.validate_permissionOffOff
opcache.validate_rootOffOff
opcache.validate_timestampsOnOn

zip

Zip enabled
Zip version 1.15.4
Libzip version 1.1.2

zlib

ZLib Supportenabled
Stream Wrapper compress.zlib://
Stream Filter zlib.inflate, zlib.deflate
Compiled Version 1.2.11
Linked Version 1.2.11
DirectiveLocal ValueMaster Value
zlib.output_compressionOffOff
zlib.output_compression_level-1-1
zlib.output_handlerno valueno value

Additional Modules

Module Name

Environment

VariableValue
APACHE_RUN_DIR /var/run/apache2
APACHE_PID_FILE /var/run/apache2/apache2.pid
JOURNAL_STREAM 9:343313728
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID 3de2d502b9854b6eb84f4bd53d7bb138
APACHE_LOCK_DIR /var/lock/apache2
LANG C
APACHE_RUN_USER www-data
APACHE_RUN_GROUP www-data
APACHE_LOG_DIR /var/log/apache2
PWD /

PHP Variables

VariableValue
$_SERVER['HTTPS']on
$_SERVER['REMOTE_USER']no value
$_SERVER['TZ']Europe/Moscow
$_SERVER['HTTP_HOST']liceystil.ru
$_SERVER['HTTP_X_REAL_IP']18.213.192.104
$_SERVER['HTTP_X_FORWARDED_FOR']18.213.192.104
$_SERVER['HTTP_X_FORWARDED_PORT']443
$_SERVER['HTTP_X_FORWARDED_PROTO']https
$_SERVER['HTTP_CONNECTION']close
$_SERVER['HTTP_USER_AGENT']CCBot/2.0 (https://commoncrawl.org/faq/)
$_SERVER['HTTP_ACCEPT']text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
$_SERVER['HTTP_ACCEPT_LANGUAGE']en-US,en;q=0.5
$_SERVER['HTTP_ACCEPT_ENCODING']br,gzip
$_SERVER['PATH']/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
$_SERVER['SERVER_SIGNATURE']<address>Apache/2.4.29 (Ubuntu) Server at liceystil.ru Port 443</address>
$_SERVER['SERVER_SOFTWARE']Apache/2.4.29 (Ubuntu)
$_SERVER['SERVER_NAME']liceystil.ru
$_SERVER['SERVER_ADDR']127.0.0.1
$_SERVER['SERVER_PORT']443
$_SERVER['REMOTE_ADDR']18.213.192.104
$_SERVER['DOCUMENT_ROOT']/var/www/liceystil.ru/data/www/liceystil.ru
$_SERVER['REQUEST_SCHEME']https
$_SERVER['CONTEXT_PREFIX']no value
$_SERVER['CONTEXT_DOCUMENT_ROOT']/var/www/liceystil.ru/data/www/liceystil.ru
$_SERVER['SERVER_ADMIN']admin@liceystil.ru
$_SERVER['SCRIPT_FILENAME']/var/www/liceystil.ru/data/www/liceystil.ru/ftest.php
$_SERVER['REMOTE_PORT']55346
$_SERVER['GATEWAY_INTERFACE']CGI/1.1
$_SERVER['SERVER_PROTOCOL']HTTP/1.0
$_SERVER['REQUEST_METHOD']GET
$_SERVER['QUERY_STRING']no value
$_SERVER['REQUEST_URI']/ftest.php
$_SERVER['SCRIPT_NAME']/ftest.php
$_SERVER['PHP_SELF']/ftest.php
$_SERVER['REQUEST_TIME_FLOAT']1606644135.417
$_SERVER['REQUEST_TIME']1606644135

PHP Credits

PHP Group
Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, Andrei Zmievski
Language Design & Concept
Andi Gutmans, Rasmus Lerdorf, Zeev Suraski, Marcus Boerger
PHP Authors
ContributionAuthors
Zend Scripting Language Engine Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Marcus Boerger, Dmitry Stogov, Xinchen Hui, Nikita Popov
Extension Module API Andi Gutmans, Zeev Suraski, Andrei Zmievski
UNIX Build and Modularization Stig Bakken, Sascha Schumann, Jani Taskinen
Windows Support Shane Caraveo, Zeev Suraski, Wez Furlong, Pierre-Alain Joye, Anatol Belski, Kalle Sommer Nielsen
Server API (SAPI) Abstraction Layer Andi Gutmans, Shane Caraveo, Zeev Suraski
Streams Abstraction Layer Wez Furlong, Sara Golemon
PHP Data Objects Layer Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky
Output Handler Zeev Suraski, Thies C. Arntzen, Marcus Boerger, Michael Wallner
Consistent 64 bit support Anthony Ferrara, Anatol Belski
SAPI Modules
ContributionAuthors
Apache 2.0 Handler Ian Holsman, Justin Erenkrantz (based on Apache 2.0 Filter code)
CGI / FastCGI Rasmus Lerdorf, Stig Bakken, Shane Caraveo, Dmitry Stogov
CLI Edin Kadribasic, Marcus Boerger, Johannes Schlueter, Moriyoshi Koizumi, Xinchen Hui
Embed Edin Kadribasic
FastCGI Process Manager Andrei Nigmatulin, dreamcat4, Antony Dovgal, Jerome Loyet
litespeed George Wang
phpdbg Felipe Pena, Joe Watkins, Bob Weinand
Module Authors
ModuleAuthors
BC Math Andi Gutmans
Bzip2 Sterling Hughes
Calendar Shane Caraveo, Colin Viebrock, Hartmut Holzgraefe, Wez Furlong
COM and .Net Wez Furlong
ctype Hartmut Holzgraefe
cURL Sterling Hughes
Date/Time Support Derick Rethans
DB-LIB (MS SQL, Sybase) Wez Furlong, Frank M. Kromann, Adam Baratz
DBA Sascha Schumann, Marcus Boerger
DOM Christian Stocker, Rob Richards, Marcus Boerger
enchant Pierre-Alain Joye, Ilia Alshanetsky
EXIF Rasmus Lerdorf, Marcus Boerger
fileinfo Ilia Alshanetsky, Pierre Alain Joye, Scott MacVicar, Derick Rethans, Anatol Belski
Firebird driver for PDO Ard Biesheuvel
FTP Stefan Esser, Andrew Skalski
GD imaging Rasmus Lerdorf, Stig Bakken, Jim Winstead, Jouni Ahto, Ilia Alshanetsky, Pierre-Alain Joye, Marcus Boerger
GetText Alex Plotnick
GNU GMP support Stanislav Malyshev
Iconv Rui Hirokawa, Stig Bakken, Moriyoshi Koizumi
IMAP Rex Logan, Mark Musone, Brian Wang, Kaj-Michael Lang, Antoni Pamies Olive, Rasmus Lerdorf, Andrew Skalski, Chuck Hagenbuch, Daniel R Kalowsky
Input Filter Rasmus Lerdorf, Derick Rethans, Pierre-Alain Joye, Ilia Alshanetsky
InterBase Jouni Ahto, Andrew Avdeev, Ard Biesheuvel
Internationalization Ed Batutis, Vladimir Iordanov, Dmitry Lakhtyuk, Stanislav Malyshev, Vadim Savchuk, Kirti Velankar
JSON Jakub Zelenka, Omar Kilani, Scott MacVicar
LDAP Amitay Isaacs, Eric Warnke, Rasmus Lerdorf, Gerrit Thomson, Stig Venaas
LIBXML Christian Stocker, Rob Richards, Marcus Boerger, Wez Furlong, Shane Caraveo
Multibyte String Functions Tsukada Takuya, Rui Hirokawa
MySQL driver for PDO George Schlossnagle, Wez Furlong, Ilia Alshanetsky, Johannes Schlueter
MySQLi Zak Greant, Georg Richter, Andrey Hristov, Ulf Wendel
MySQLnd Andrey Hristov, Ulf Wendel, Georg Richter, Johannes Schlüter
OCI8 Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong, Christopher Jones, Oracle Corporation
ODBC driver for PDO Wez Furlong
ODBC Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky
Opcache Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Dmitry Stogov, Xinchen Hui
OpenSSL Stig Venaas, Wez Furlong, Sascha Kettler, Scott MacVicar
Oracle (OCI) driver for PDO Wez Furlong
pcntl Jason Greene, Arnaud Le Blanc
Perl Compatible Regexps Andrei Zmievski
PHP Archive Gregory Beaver, Marcus Boerger
PHP Data Objects Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky
PHP hash Sara Golemon, Rasmus Lerdorf, Stefan Esser, Michael Wallner, Scott MacVicar
Posix Kristian Koehntopp
PostgreSQL driver for PDO Edin Kadribasic, Ilia Alshanetsky
PostgreSQL Jouni Ahto, Zeev Suraski, Yasuo Ohgaki, Chris Kings-Lynne
Pspell Vlad Krupin
Readline Thies C. Arntzen
Recode Kristian Koehntopp
Reflection Marcus Boerger, Timm Friebe, George Schlossnagle, Andrei Zmievski, Johannes Schlueter
Sessions Sascha Schumann, Andrei Zmievski
Shared Memory Operations Slava Poliakov, Ilia Alshanetsky
SimpleXML Sterling Hughes, Marcus Boerger, Rob Richards
SNMP Rasmus Lerdorf, Harrie Hazewinkel, Mike Jackson, Steven Lawrance, Johann Hanne, Boris Lytochkin
SOAP Brad Lafountain, Shane Caraveo, Dmitry Stogov
Sockets Chris Vandomelen, Sterling Hughes, Daniel Beulshausen, Jason Greene
Sodium Frank Denis
SPL Marcus Boerger, Etienne Kneuss
SQLite 3.x driver for PDO Wez Furlong
SQLite3 Scott MacVicar, Ilia Alshanetsky, Brad Dewar
System V Message based IPC Wez Furlong
System V Semaphores Tom May
System V Shared Memory Christian Cartus
tidy John Coggeshall, Ilia Alshanetsky
tokenizer Andrei Zmievski, Johannes Schlueter
WDDX Andrei Zmievski
XML Stig Bakken, Thies C. Arntzen, Sterling Hughes
XMLReader Rob Richards
xmlrpc Dan Libby
XMLWriter Rob Richards, Pierre-Alain Joye
XSL Christian Stocker, Rob Richards
Zip Pierre-Alain Joye, Remi Collet
Zlib Rasmus Lerdorf, Stefan Roehrich, Zeev Suraski, Jade Nicoletti, Michael Wallner
PHP Documentation
Authors Mehdi Achour, Friedhelm Betz, Antony Dovgal, Nuno Lopes, Hannes Magnusson, Philip Olson, Georg Richter, Damien Seguy, Jakub Vrana, Adam Harvey
Editor Peter Cowburn
User Note Maintainers Daniel P. Brown, Thiago Henrique Pojda
Other Contributors Previously active authors, editors and other contributors are listed in the manual.
PHP Quality Assurance Team
Ilia Alshanetsky, Joerg Behrens, Antony Dovgal, Stefan Esser, Moriyoshi Koizumi, Magnus Maatta, Sebastian Nohn, Derick Rethans, Melvyn Sopacua, Jani Taskinen, Pierre-Alain Joye, Dmitry Stogov, Felipe Pena, David Soria Parra, Stanislav Malyshev, Julien Pauli, Stephen Zarkos, Anatol Belski, Remi Collet, Ferenc Kovacs
Websites and Infrastructure team
PHP Websites Team Rasmus Lerdorf, Hannes Magnusson, Philip Olson, Lukas Kahwe Smith, Pierre-Alain Joye, Kalle Sommer Nielsen, Peter Cowburn, Adam Harvey, Ferenc Kovacs, Levi Morrison
Event Maintainers Damien Seguy, Daniel P. Brown
Network Infrastructure Daniel P. Brown
Windows Infrastructure Alex Schoenmaker

PHP License

This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.