Supporting HTTP 100 Continue with PHP

Asked 12/2, 2010 at 16:58 Answered 11/12, 2016 at 6:34

I'm working on a PHP webapp that accepts large POSTed file uploads from specific clients and would like to accept or reject these uploads (based on various headers and other factors, not just size) before the file is uploaded by using HTTP/1.1 100 Continue.

Some quick background from HTTP/1.1 spec 8.2.3:

The purpose of the 100 (Continue) status (see section 10.1.1) is to allow a client that is sending a request message with a request body to determine if the origin server is willing to accept the request (based on the request headers) before the client sends the request body. In some cases, it might either be inappropriate or highly inefficient for the client to send the body if the server will reject the message without looking at the body.

The problem is that Apache sees the Expect: 100-continue from the client, returns a 100 Continue and accepts the file upload all before PHP begins processing... However I need PHP to begin processing immediately after the Expect: 100-continue. I'm not sure if this is possible so I have two questions:

Is it possible to make PHP begin processing immediately after the Expect: 100-continue?
If not, what is a good alternative?

I'm currently thinking of emulating 100 continue by specifying the client first send a HEAD request with the same headers as the POST. The webapp can then return a response to continue with the POST or an error code. Other suggestions are welcome!

Pastorate answered 12/2, 2010 at 16:58 Comment(4)

I realise this is a very old question, but did you end up using the HEAD request followed by the POST? If so, how comfortable was it to implement? I'm currently finding myself frustrated by the inability to properly implement the 100-continue expectation on a PHP/Apache stack. – Fenderson 17/2, 2016 at 10:18

100 continue is impossible to properly control in PHP (at least it was, I've moved on to better languages). If you have control over the client, then yes, sending a HEAD (or any other type of request) to preflight the main POST is the way to go. If you don't have control over the client, the only option is to setup a proxy/middleware that can intercept the 100 and respond appropriately. – Pastorate 19/2, 2016 at 4:39

I do have control of the client, so its a good fallback. I'm currently looking into trying to provide a hook in Apache to implement proper pre-100-continue checks on the header. Not sure if it'll lead anywhere useful. #35456622 – Fenderson 19/2, 2016 at 11:7

What exact preconditions are you trying to check and what are you trying to "prevent" with the Header including expect: 100-continue? What if a client does not send the 100 part in the header, but instead sends the body directly, what would happen? Is it a client or your http/api client by the way? – Tierell 8/12, 2018 at 22:10

Unfortunately I don't think this is possible. If this is a real requirement, I think it's best to simply look at other languages. I think today heterogeneous environments are more common than when this question was written, so why not create a small service written in some other language that just deals with the upload.

But yea, the way PHP works is that the script only starts when the entire request is sent by the client.

Mirianmirielle answered 11/12, 2016 at 6:34 Comment(0)

-6

Trying to do this on the HTTP level seems too difficult. It is important as a developer to not get hung up on a specific solution. The problem is you want to do a series of checks before you handle the upload. All you need to do is put a qualifying page before the upload. This qualifying page will only show them the upload form if they pass the series of checks and qualify. That is exactly what you are trying to do only you can do it in code PHP. If it is possible, the HTTP 100 thing will always require lots of additional configuration, thus creating a headache for support later on. If you do it in the code those that come behind you (or yourself in a couple of years) will be able to clearly understand what the app is doing.

Ammann answered 13/2, 2010 at 15:27 Comment(1)

@ Daniel: Feedback - Your answers seems to be premature - without understanding the OPs need, you are suggesting he give up handling the "HTTP 100 thing" – Neutralize 22/12, 2010 at 14:51

Recommended topics

Hot tags