Send 403 for auth error

diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
index c4136fb2b1dd202993646e2ab9946f194d211c71..138bdf17a9440fb8a642c20f0b5c4ac7993f2925 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -117,9 +117,8 @@ function unset_permanent() {
 function auth_error($error) {
        global $adminer, $has_token;
        $session_name = session_name();
-       if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) {
-               $error = lang('Session support must be enabled.');
-       } elseif (isset($_GET["username"])) {
+       if (isset($_GET["username"])) {
+               header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header
                if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) {
                        $error = lang('Session expired, please login again.');
                } else {
@@ -134,6 +133,9 @@ function auth_error($error) {
                        unset_permanent();
                }
        }
+       if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) {
+               $error = lang('Session support must be enabled.');
+       }
        $params = session_get_cookie_params();
        cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
        page_header(lang('Login'), $error, null);

diff --git a/changes.txt b/changes.txt
index b60b67ca5fecf25357b035f6465f50eb966501c2..2dda7f40ec0275136d0201e870b888b1c712f3a7 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -5,6 +5,7 @@ Make master key unreadable to others (bug #410)
 Fix edit by long non-utf8 string
 Specify encoding for PHP 5.6 with invalid default_charset
 Fix saving NULL value, bug since Adminer 4.0.3
+Send 403 for auth error
 MySQL: Use utf8mb4 if available
 PostgreSQL: Materialized views
 Elasticsearch: Use where in select