Before I begin, I'd like to point out that I've browsed Stack Overflow and found other similar questions - PHP_AUTH_USER not set? and HTTP Auth via PHP - PHP_AUTH_USER not set? - and these have pointed out that the authentication $_SERVER variables won't be set if ''Server API'' is set to ''CGI/FCGI'', but I checked my ''phpinfo()'' output and my ''Server API'' is set to ''Apache 2.0 Handler''.
Ok so I have a simple script as follows:
<?php
echo "Username: " . $_SERVER["PHP_AUTH_USER"] . ", Password: " . $_SERVER["PHP_AUTH_PW"];
?>
... which I am calling remotely via the following:
wget -v --http-user=johnsmith --http-password=mypassword http://www.example.com/myscript.php
... but which only outputs:
Username: , Password:
I have also tried calling the script using PHP cURL and setting the authentication parameters appropriately as follows:
curl_setopt($ch, CURLOPT_USERPWD, "johnsmith:mypassword");
... but I get the same output as above.
Any idea what I'm doing wrong? Perhaps there is something else I need to enable / configure?
Tried the previous suggestions, did not work, also discovered
CGIPassAuth On
is a more up to date version of the suggested htaccess addition, but that still did not work for me, instead I used
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
(must be in your root htaccess file) then in the php file
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
If anyone still has trouble I suggest they check the server vars, as the data may be in a different var, your looking for something that start with basic
For PHP-CGI:
in .htaccess add this:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>
and at the beginning of your script add this:
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
I've finally discovered the answer thanks to the of help of Naktibalda in ##php on irc.freenode.net
The following page summarises the issue: http://php.net/manual/en/features.http-auth.php
To quote the relevant bits:
As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].
...
PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With