什么是HTTP_AUTHORIZATION环境变量? [英] What is the HTTP_AUTHORIZATION environment variable?
问题描述
HTTP_AUTHORIZATION
似乎是一个服务器端的环境变量,但它有什么价值?有例子吗是否由一些HTTP标头设置?
HTTP_AUTHORIZATION
seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?
此外,当它询问用户名和密码时,它在浏览器端如何看起来(是HTML表单还是它是一个弹出框,要求用户名和密码(这是模态的,所以如果没有点击确定或取消,那么浏览器不能被点击))。
Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).
通常,一个用户登录表单将POST到具有POST变量的服务器,例如
Usually, a user login form will POST to the server with POST variables such as
username=peter&password=123
所以这个 HTTP_AUTHORIZATION
是什么?
推荐答案
只是我们在同一页面,典型的POST请求看起来像这样:
Just so we're on the same page, a typical POST request looks something like this:
POST /some/page HTTP/1.1 <-- request line
Host: www.example.com <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27 <-------------------/
... some other headers ...
<-- blank line
username=peter&password=123 <-- POST data, if any
环境变量开始 HTTP _
是 CGI脚本的主要方式之后的宿醉提供动态内容,并向服务器端的代码表明客户端提供特定标题作为请求的一部分。从 CGI规格:
The environment variables beginning HTTP_
are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:
名称以HTTP_开头的元变量包含从客户机请求头字段读取的值,如果使用的协议是HTTP。 HTTP头字段名称被转换为大写字母,所有出现的 - 替换为,并具有HTTP ,以提供元变量名称。
Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "" and has "HTTP" prepended to give the meta-variable name.
许多HTTP认证机制中使用的授权:
标头;通常的流程是:
The Authorization:
header used in a number of HTTP authentication mechanisms; the usual flow is:
- 浏览器尝试请求页面
- 服务器以401未经授权和
WWW-Authenticate:
包含方案和(有时是)挑战的标题 - 浏览器提示用户输入凭据,发送请求与
授权:
标题包含对挑战的回应
- browser attempts to request a page
- server responds with "401 Unauthorized" and a
WWW-Authenticate:
header containing a scheme and (sometimes) a challenge - browser prompts user for credentials, then re-sends the request with an
Authorization:
header containing a response to the challenge
挑战和响应的确切格式取决于使用哪种认证方案; RFC2617(其中gpcz链接到)涵盖基本(最常见的是发送base64编码的用户名:密码)和摘要(包含加密散列)和> NTLM 是在某些Windows环境中看到的另一个。
The exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.
这篇关于什么是HTTP_AUTHORIZATION环境变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!