IIS FastCGI上的PHP是否可以进行HTTP身份验证?

时间:2022-10-28 10:43:11

I've just migrated from PHP 5.2.3 using php5isapi.dll to PHP 5.3.0 using FastCGI and php-cgi.exe. On this site I have hooks for windows/ntlm/http authentication doing something like this:

我刚刚使用FastCGI和php-cgi.exe使用php5isapi.dll从PHP 5.2.3迁移到PHP 5.3.0。在这个网站上我有windows / ntlm / http身份验证的钩子做这样的事情:

if(empty($_SERVER["REMOTE_USER"]))
{
 header("HTTP/1.1 401 Unauthorized"); 
 exit;
}
$winuser = $_Server["REMOTE_USER"];

//parse $winuser to make sure it is on my domain, and can login to the site.
//set a cookie specifying that this user is logged in
//redirect to site.

This worked just great under PHP 5.2.3 with isapi. Now that I've moved to FastCGI on IIS6, it is broken. It works for me, but I have administrator on the server. Those without administrator (most people) see some variant of the following:

这在PHP 5.2.3下使用isapi非常有用。现在我已经转移到IIS6上的FastCGI,它已经坏了。它适用于我,但我在服务器上有管理员。没有管理员的人(大多数人)会看到以下的一些变体:

FastCGI Error
The FastCGI Handler was unable to process the request. 
________________________________________
Error Details:
•   The FastCGI process exited unexpectedly 
•   Error Number: -1073741819 (0xc0000005). 
•   Error Description: Unknown Error 
HTTP Error 500 - Server Error.
Internet Information Services (IIS)

I have tried plowing through documentation and log files, but can't seem to make any headway. I don't actually want the remote username to be used to access my .php files, I just want to grab the name and match to my database. The anon user should still be the one doing the actual php execution.

我试过翻阅文档和日志文件,但似乎无法取得任何进展。我实际上并不想使用远程用户名来访问我的.php文件,我只想获取名称并匹配我的数据库。匿名用户应该仍然是执行实际php执行的用户。

Any leads?

任何线索?

1 个解决方案

#1


0  

Some progress, but no real solution yet.

一些进步,但还没有真正的解决方案。

  1. Following the advice here was useful: FastCGI Docs Especially the Security Recommendations section. This got my errors out of FASTCGI 500 and into the php error log.

    遵循这里的建议很有用:FastCGI Docs特别是安全建议部分。这使我的错误从FASTCGI 500中进入php错误日志。

  2. It appears that PHP/IIS/FastCGI wants to access the session directory (mine is C:\PHP\Session) via whatever user attempts to authenticate instead of the anon user.

    似乎PHP / IIS / FastCGI想要通过任何用户尝试进行身份验证而不是匿名用户来访问会话目录(我的是C:\ PHP \ Session)。

  3. Setting "Modify" permissions on that folder to "All Users" allows the site to work as desired. However, I'm then wondering how big of a security hole I'm creating by doing this...

    将该文件夹的“修改”权限设置为“所有用户”允许该站点根据需要工作。然而,我当时想知道我正在通过这样做来创建一个安全漏洞有多大......

#1


0  

Some progress, but no real solution yet.

一些进步,但还没有真正的解决方案。

  1. Following the advice here was useful: FastCGI Docs Especially the Security Recommendations section. This got my errors out of FASTCGI 500 and into the php error log.

    遵循这里的建议很有用:FastCGI Docs特别是安全建议部分。这使我的错误从FASTCGI 500中进入php错误日志。

  2. It appears that PHP/IIS/FastCGI wants to access the session directory (mine is C:\PHP\Session) via whatever user attempts to authenticate instead of the anon user.

    似乎PHP / IIS / FastCGI想要通过任何用户尝试进行身份验证而不是匿名用户来访问会话目录(我的是C:\ PHP \ Session)。

  3. Setting "Modify" permissions on that folder to "All Users" allows the site to work as desired. However, I'm then wondering how big of a security hole I'm creating by doing this...

    将该文件夹的“修改”权限设置为“所有用户”允许该站点根据需要工作。然而,我当时想知道我正在通过这样做来创建一个安全漏洞有多大......