WINCACHE statistics page - login dialog keeps popping up

Saturday, October 24, 2009

As you know we released WINCACHE 1.0 RC early last week. We have got some good response for all the new features and bug fixes the RC release contains. If you haven't tried the RC version you should definitely try it out. We also included a brand new WINCACHE statistics page which displays lot of useful statistics about the cache. However there were people in the forum who complained about getting the login dialog again and again no matter what they pass as login/password.

Before giving the solution let me explain what the problem was. The Basic PHP authentication as described here works with IIS only if IIS is configured to support 'Anonymous Authentication' and nothing else. If you have any other authentication support enabled for your site like 'Basic Authentication' or 'Digest Authentication' etc. PHP basic authentication as coded in our WINCACHE.php stops working. This happens because the variables PHP_AUTH_USER and PHP_AUTH_PW are not set when your site allows any other authentication support other than 'Anonymous' in IIS. If any other authentication mechanism is supported, that takes precedence over anonymous authentication and IIS pops up it's own authentication dialog and hence PHP basic authentication never comes into picture. If the user keeps filling the username/password as specified in WINCACHE.php the login prompt will keep coming back as those are not valid credentials for IIS.

The solution was to modify the code to ignore the PHP basic authentication if IIS is authenticating the user other than 'Anonymous'. We also got request from the users that they would like to further restrict access to this page by providing their own list of users on top of IIS authentication. If you are experiencing a similar problem please do the below:

If you open existing WINCACHE.php you will find below code:

if ( !extension_loaded( 'wincache' ) )
{
    die('The extension WINCACHE (php_wincache.dll) is not loaded. No statistics to show.');
}

if ( USE_AUTHENTICATION == 1 ) {
    if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ||    
    $_SERVER['PHP_AUTH_USER'] != USERNAME || $_SERVER['PHP_AUTH_PW'] != PASSWORD ) {
        header( 'WWW-Authenticate: Basic realm="WINCACHE Log In!"' );
        header( 'HTTP/1.0 401 Unauthorized' );
        exit;
    }
    else if ( $_SERVER['PHP_AUTH_PW'] == 'wincache' )
    {
        echo "Please change the default password to get this page working. Exiting.";
        exit;
    }
}

These lines should be replaced by:

/*The Basic PHP authentication will work only when IIS is configured to support 
'Anonymous Authentication' and nothing else. If IIS is configured to support/use
any other kind of authentication like Basic/Negotiate/Digest etc. this will not work.
In that case please define the name of users in the array below which you would like
to grant access in your domain/network/workgroup.*/
$user_allowed = array('DOMAIN\user1', 'DOMAIN\user2', 'DOMAIN\user3');

/*If the array contains string 'all' all the users authenticated by IIS
will have access to the page. Uncomment the below line and comment above line
to grant access to all users who gets authenticated by IIS.*/
/*$user_allowed = array('all');*/

/** ===================== END OF CONFIGURATION SETTINGS ========================== */

if ( !extension_loaded( 'wincache' ) )
{
    die('The extension WINCACHE (php_wincache.dll) is not loaded. No statistics to show.');
}

if ( USE_AUTHENTICATION == 1 ) {
    if (!empty($_SERVER['AUTH_TYPE']) && !empty($_SERVER['REMOTE_USER']) && strcasecmp($_SERVER['REMOTE_USER'], 'anonymous'))
    {
        if (!in_array(strtolower($_SERVER['REMOTE_USER']), array_map('strtolower', $user_allowed))
        && !in_array('all', array_map('strtolower', $user_allowed)))
        {
            echo 'You are not authorised to view this page. Please contact server admin to get permission. Exiting.';
            exit;
        }
    }
    else if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ||    
    $_SERVER['PHP_AUTH_USER'] != USERNAME || $_SERVER['PHP_AUTH_PW'] != PASSWORD ) {
        header( 'WWW-Authenticate: Basic realm="WINCACHE Log In!"' );
        header( 'HTTP/1.0 401 Unauthorized' );
        exit;
    }
    else if ( $_SERVER['PHP_AUTH_PW'] == 'wincache' )
    {
        echo "Please change the default password to get this page working. Exiting.";
        exit;
    }
}

This should fix your problem. I also believe this is the right way to write a basic PHP authentication page for IIS. It was fun to work on this problem for the entire team and I would like to mention the Program Manager on the team who showed equal enthusiasm in coming out with a session based authentication. This kind of passion really helps in keeping the motivation level up in the team.

Hopefully this will help you in running WINCACHE statistics page in a much better way. Thanks for the patient reading and good bye.

Don.

No Comments