PHP_AUTH_USER not set?

C

8

54

For some reason, none of the code within

if (isset($_SERVER['PHP_AUTH_USER']) &&
    isset($_SERVER['PHP_AUTH_PW']))
{

// When the above is set, the code that is here will execute of course

}

is being executed for me. When I enter the correct username and password, the prompt box for the authorization again pops up. Wouldn't both fields be 'set' if they are correct and I press enter? But for some reason that is not the case. What can I be doing wrong? Thank you.

Cordierite answered 7/9, 2010 at 23:37 Comment(0)

P

83

There is a 'sensible way' to use HTTP Basic Auth in CGI-mode PHP: in the .htaccess use

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

and in the PHP use

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = 
  explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

Pickar answered 17/10, 2011 at 11:12 Comment(10)

For some reason, on my server I had to use $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] – Pickar 17/10, 2011 at 11:40

This works but each page returns a 404 not found even though the page is displayed properly – Petrel 27/6, 2013 at 15:58

Sorry, I'd picked up the following rewrite from another page: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] and the trailing L was causing my 404 errors – Petrel 27/6, 2013 at 16:10

This worked for me with just the RewriteRule line in .htacess. I didn't have to make any changes to the PHP, and $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are now set. – Rightwards 10/9, 2013 at 22:32

github.com/symfony/symfony/blob/master/src/Symfony/Component/… – Isopiestic 16/5, 2014 at 12:12

The above didn't work for me but it might be due to my server set-up. On my Ubuntu 14.04 and ServerPilot set-up, I used the following in my .htccess file SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1. I can then access it using $_ENV['HTTP_AUTHORIZATION'] in PHP. – Cervantes 12/6, 2014 at 3:18

Can anyone explain the RewriteRule in this reply? It worked for me, but I actually do not understand it. :-) – Tello 5/1, 2015 at 14:54

try first to check if the $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] is set and not empty then you can use

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =    explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

, because some servers same in my case has REDIRECT_HTTP_AUTHORIZATION index and not HTTP_AUTHORIZATION so better set a full condition for both offsets. – Harslet 3/12, 2016 at 17:28

@JefferyThaGintoki This one only worked for 1and1 shared hosting server. – Krummhorn 10/8, 2017 at 15:52

There is a better answer below :) the one from @thePanz – Plunk 9/3, 2018 at 14:19

B

27

try this

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

on your .htaccess file which you will have to place into the root directory

and then

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

in the begining of your php scripts

Blotto answered 7/1, 2014 at 22:27 Comment(2)

@garyJ, It's the length of "basic " – Fermentative 22/8, 2018 at 1:32

can you explain to me why this line is needed in .htaccess? It worked for me – Cirilo 31/8, 2020 at 17:33

M

13

I am using Symfony 2.5.7 running on PHP-PFM + Apache 2.4 on Ubuntu 14.04. I have BASIC_AUTH working, it needs to correctly configure the Apache VirtualHost by adding:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

as also mentioned here.

Miniver answered 1/12, 2014 at 13:47 Comment(1)

same here: PHP running in PHP-FPM mode, apache 2.4, centOS. I just had to add that line to my vhost config and it worked perfectly, with no changes on the PHP side – Cost 15/2, 2018 at 23:6

C

12

Starting from Apache 2.4.13, you simply need to use CGIPassAuth directive in your .htaccess:

CGIPassAuth On

Cloutman answered 14/2, 2021 at 13:12 Comment(2)

this is the correct solution in my opinion, the others are workarounds – Gaudet 2/9, 2021 at 0:1

Best new feature, fixed me right up. – Aloise 7/11, 2021 at 18:29

N

3

According to phpinfo(), my server API is CGI/Fast CGI, so I've solved the problem by putting the following in my .htaccess file:

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]

Narcolepsy answered 13/11, 2013 at 12:18 Comment(0)

A

2

Try $_SERVER['REMOTE_USER']. This works for me on a PHP 5.3 CGI + Apache installation.

Antitoxin answered 16/8, 2011 at 5:15 Comment(1)

Seems not to work under a Plesk installation with LAMP (sorry, I have no idea what version of Plesk this particular provider is using; Apache is the old 2.2 and PHP the even older 5.3.3). – Transfuse 11/12, 2018 at 20:37

K

2

If user access is granted giving username/password in URL please check if

AuthType Digest

is entitled in your VHost/Directory/.htaccess configuration.

This fixed it for my use case.

Kishke answered 11/9, 2012 at 10:7 Comment(0)

C

-3

On my host's servers, use $_SERVER['REDIRECT_REMOTE_USER'] instead of $_SERVER['PHP_AUTH_USER']

Contortionist answered 14/10, 2012 at 2:11 Comment(0)

Recommended topics

Hot tags