什么是HTTP_AUTHORIZATION环境变量？ [英] What is the HTTP_AUTHORIZATION environment variable?

问题描述

HTTP_AUTHORIZATION 似乎是一个服务器端的环境变量，但它有什么价值？有例子吗是否由一些HTTP标头设置？

HTTP_AUTHORIZATION seems to be a server side environment variable, but what values can it be? Are there examples? Is it set by some HTTP headers?

此外，当它询问用户名和密码时，它在浏览器端如何看起来（是HTML表单还是它是一个弹出框，要求用户名和密码（这是模态的，所以如果没有点击确定或取消，那么浏览器不能被点击））。

Also, how does it look like on the browser side when it asks for username and password (is it an HTML form or is it a popup box that asks for username and password (which is modal and so if not clicking OK or Cancel, then the browser cannot be click on)).

通常，一个用户登录表单将POST到具有POST变量的服务器，例如

Usually, a user login form will POST to the server with POST variables such as

username=peter&password=123

所以这个 HTTP_AUTHORIZATION 是什么？

推荐答案

只是我们在同一页面，典型的POST请求看起来像这样：

Just so we're on the same page, a typical POST request looks something like this:

POST /some/page HTTP/1.1                            <-- request line
Host: www.example.com                               <-------------------\
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) <--| headers
Content-Length: 27                                  <-------------------/
... some other headers ...
                                                    <-- blank line
username=peter&password=123                         <-- POST data, if any

环境变量开始 HTTP _ 是 CGI脚本的主要方式之后的宿醉提供动态内容，并向服务器端的代码表明客户端提供特定标题作为请求的一部分。从 CGI规格：

The environment variables beginning HTTP_ are a hangover from the days when CGI scripts were the main way to serve dynamic content, and they indicate to your server-side code that the client supplied a particular header as part of the request. From the CGI spec:

名称以HTTP_开头的元变量包含从客户机请求头字段读取的值，如果使用的协议是HTTP。 HTTP头字段名称被转换为大写字母，所有出现的 - 替换为，并具有HTTP ，以提供元变量名称。

Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "" and has "HTTP" prepended to give the meta-variable name.

许多HTTP认证机制中使用的授权：标头;通常的流程是：

The Authorization: header used in a number of HTTP authentication mechanisms; the usual flow is:

1. 浏览器尝试请求页面


2. 服务器以401未经授权和 WWW-Authenticate：包含方案和（有时是）挑战的标题


3. 浏览器提示用户输入凭据，发送请求与授权：标题包含对挑战的回应

1. browser attempts to request a page
2. server responds with "401 Unauthorized" and a WWW-Authenticate: header containing a scheme and (sometimes) a challenge
3. browser prompts user for credentials, then re-sends the request with an Authorization: header containing a response to the challenge

挑战和响应的确切格式取决于使用哪种认证方案; RFC2617（其中gpcz链接到）涵盖基本（最常见的是发送base64编码的用户名：密码）和摘要（包含加密散列）和> NTLM 是在某些Windows环境中看到的另一个。

The exact format of the challenge and response differs depending on which authentication scheme is in use; RFC2617 (which gpcz linked to) covers "basic" (most common, sends base64-encoded "username:password") and "digest" (contains a cryptographic hash), and NTLM is another that's seen in some Windows environments.

这篇关于什么是HTTP_AUTHORIZATION环境变量？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！