Why are $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] not set?

Question

Before I begin, I'd like to point out that I've browsed Stack Overflow and found other similar questions - PHP_AUTH_USER not set? and HTTP Auth via PHP - PHP_AUTH_USER not set? - and these have pointed out that the authentication $_SERVER variables won't be set if ''Server API'' is set to ''CGI/FCGI'', but I checked my ''phpinfo()'' output and my ''Server API'' is set to ''Apache 2.0 Handler''.

Ok so I have a simple script as follows:

<?php
    echo "Username: " . $_SERVER["PHP_AUTH_USER"] . ", Password: " . $_SERVER["PHP_AUTH_PW"];
?>

... which I am calling remotely via the following:

wget -v --http-user=johnsmith --http-password=mypassword http://www.example.com/myscript.php

... but which only outputs:

Username: , Password:

I have also tried calling the script using PHP cURL and setting the authentication parameters appropriately as follows:

 curl_setopt($ch, CURLOPT_USERPWD, "johnsmith:mypassword");

... but I get the same output as above.

Any idea what I'm doing wrong? Perhaps there is something else I need to enable / configure?

Answer 1

Tried the previous suggestions, did not work, also discovered

CGIPassAuth On 

is a more up to date version of the suggested htaccess addition, but that still did not work for me, instead I used

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

(must be in your root htaccess file) then in the php file

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));

If anyone still has trouble I suggest they check the server vars, as the data may be in a different var, your looking for something that start with basic

Answer 2

For PHP-CGI:

in .htaccess add this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

and at the beginning of your script add this:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

Answer 3

I've finally discovered the answer thanks to the of help of Naktibalda in ##php on irc.freenode.net

The following page summarises the issue: http://php.net/manual/en/features.http-auth.php

To quote the relevant bits:

As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

...

PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.