Http Auth via PHP - PHP_Auth_User Not Set

HTTP Auth via PHP - PHP_AUTH_USER not set?

Run phpinfo(). if "Server API" is CGI/FCGI, you can pretty much forget it as there is no sensible way to use HTTP auth from PHP.

Why are $_SERVER[PHP_AUTH_USER] and $_SERVER[PHP_AUTH_PW] not set?

I've finally discovered the answer thanks to the of help of Naktibalda in ##php on irc.freenode.net

The following page summarises the issue: http://php.net/manual/en/features.http-auth.php

To quote the relevant bits:

As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

...

PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.

Http Auth dosen't work with PHP

The problem is solved.

I checked phpinfo() on our Server and SERVER API was on CGI/FastCGI.

HTTP Auth via PHP - PHP_AUTH_USER not set?

Run phpinfo(). if "Server API" is CGI/FCGI, you can pretty much forget
it as there is no sensible way to use HTTP auth from PHP.

Now I knew where the problem is and I solved the Issue while adding the following part into my public/.htacces .

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

set up HTTP authentication

Here's all the code you need:

$successful = FALSE;

if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
    $username = $_SERVER['PHP_AUTH_USER'];
    $password = $_SERVER['PHP_AUTH_PW'];

    if ($username == '-- username --' && $password == '-- password --')
    {
        $successful = TRUE;
    }
}

if ( ! $successful)
{
    header('WWW-Authenticate: Basic realm="Secret page"');
    header('HTTP/1.0 401 Unauthorized');
}

It would ask for username and password, see if they match and if they don't - ask for them again.

Note that, depending on server configuration, HTTP Basic Authentication may not work.

---

p.s. You should replace -- username -- and -- password -- with username and password of your own.

$_SERVER['PHP_AUTH_USER'] empty

<script src="http://www.webtoolkit.info/djs/webtoolkit.base64.js"></script>
<script>
var xhr = Ti.Network.createHTTPClient();
xhr.timeout = 1000000;
xhr.onreadystatechange = function() {
    if (xhr.readyState != 4) return;
    alert('Server said: '+xhr.responseText);
};
xhr.open('GET', 'http://myapi.com/test', false);
xhr.setRequestHeader('Authorization', 'Basic ' + Base64.encode('user:pass') );
xhr.send('');
</script>

(For the sake of courtesy, you should download webtoolkit.base64.js and serve it from your own server.)

Keep in mind that you can't do cross-domain requests with XHR; your JavaScript and PHP have to be served from the same domain.

How to set PHP_AUTH_USER

If you're running PHP under IIS and using Windows Authentication you shoud find the username under one (or more) of these:

• $_SERVER['LOGON_USER']
• $_SERVER['AUTH_USER']
• $_SERVER['REDIRECT_LOGON_USER']
• $_ENV['REDIRECT_LOGON_USER']

Forget about the password - when PHP starts the user has already been authorized and the script is not supposed to need it.

You can use Windows Authentication to log into SQL server as the user: look at the documentaion for fastcgi.impersonate. This works as long as IIS and SQL Server are on the same system. If you keep your database elsewhere... well, you may google for Double Hop issue if you want the gory details, but the short story is that it doesn't work. I've lost a month waiting for a customer to give up and allow a plain user/pass login into his database.

---

Related Topics