服务器删除自定义HTTP标头字段 [英] Server removes custom HTTP header fields
问题描述
我一直在尝试接收标头中包含自定义字段的HTTP请求,但似乎我的服务器将其删除...
I've been trying to receive HTTP requests with custom fields in the headers but it seems like my server removes them...
这是我的请求我发送到服务器(我用HTTP代理读取该请求):
This is the request that I am sending to the server (I read that request with a HTTP Proxy) :
POST /oauth.php/request_token HTTP/1.1
Host: domain.com
User-Agent: DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
Authorization: OAuth realm="", oauth_consumer_key="ebb942f0d260b06cb533c6133c28408004d343197", oauth_signature_method="HMAC-SHA1", oauth_signature="qPBFAa8XRRbor2%2F%2FQXv6kU3%2F7jU%3D", oauth_timestamp="1295278460", oauth_nonce="E7D6AC76-74CE-4951-8182-7EBF9B382E7E", oauth_version="1.0"
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Content-Length: 0
Connection: keep-alive
Proxy-Connection: keep-alive
我打印了请求的标题当我到达我的page.php。我明白了:
I printed the headers of the request when I arrive on my page.php. I see that :
uri http://domain.com/oauth.php/request_token
parameters
headers Array
.... Accept : */*
.... Accept-Encoding : gzip, deflate
.... Accept-Language : en-us
.... Connection : keep-alive
.... Host : domain.com
.... User-Agent : DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
method POST
当我应该看到它时(它正在使用本地版本)
when I should be seeing that (it is working on a local version)
uri http://localhost:8888/oauth.php/request_token
parameters
headers Array
.... Accept : */*
.... Accept-Encoding : gzip, deflate
.... Accept-Language : en-us
.... Authorization : OAuth realm="", oauth_consumer_key="582d95bd45d455fa2e5819f88fc0c5a104d2c7ff3", oauth_signature_method="HMAC-SHA1", oauth_signature="agPSFdtlGxXv2sbrz3pRjHlROOE%3D", oauth_timestamp="1295272680", oauth_nonce="667A133C-5071-48AB-9F13-8146425E46B7", oauth_version="1.0"
.... Connection : keep-alive
.... Content-Length : 0
.... Host : localhost:8888
.... User-Agent : DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
method POST
我在服务器上使用php 5.2.17。
I am using php 5.2.17 on the server.
你有什么想法帮我解决这个问题吗?
Do you have any idea to help me fix that issue?
谢谢!
推荐答案
Apache剥离Authentication头,因为与CGI一起使用时存在安全风险。您是否通过CGI使用PHP?
Apache strips the Authentication header because it's a security risk, when used with CGI. Are you using PHP through CGI?
我认为PHP在某些情况下也会剥离身份验证。同样,存在将其暴露给脚本的风险将允许一个用户的代码在同一服务器上嗅探其他用户(例如,如果Alice和Bob都有帐户)。
I think PHP also strips Authentication in some circumstances. Again, there's a risk that exposing it to scripts will allow one users' code to sniff other users' on the same server (e.g., if Alice and Bob both have accounts).
这篇关于服务器删除自定义HTTP标头字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
