50

So I'm trying to parse an incoming request in PHP which has the following header set:

Authorization: Custom Username

Simple question: how on earth do I get my hands on it? If it was Authorization: Basic, I could get the username from $_SERVER["PHP_AUTH_USER"]. If it was X-Custom-Authorization: Username, I could get the username from $_SERVER["HTTP_X_CUSTOM_AUTHORIZATION"]. But neither of these are set by a custom Authorization, var_dump($_SERVER) reveals no mention of the header (in particular, AUTH_TYPE is missing), and PHP5 functions like get_headers() only work on responses to outgoing requests. I'm running PHP 5 on Apache with an out-of-the box Ubuntu install.

lambshaanxy
  • 22,552
  • 10
  • 68
  • 92

6 Answers6

68

For token based auth:

  $token = null;
  $headers = apache_request_headers();
  if(isset($headers['Authorization'])){
    $matches = array();
    preg_match('/Token token="(.*)"/', $headers['Authorization'], $matches);
    if(isset($matches[1])){
      $token = $matches[1];
    }
  }
deepwinter
  • 4,568
  • 2
  • 31
  • 37
57

If you're only going to use Apache you might want to have a look at apache_request_headers().

halfdan
  • 33,545
  • 8
  • 78
  • 87
  • 8
    @halfdan: else ? i am using nginx and i am unable get authorization in header. – Divakarcool Nov 09 '17 at 06:09
  • https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers/17490827#17490827 This page gives complete details about different server types and how to use the authorization, please do read the comments on the page as well – Jagadish Meghval Feb 17 '21 at 05:01
  • Check the php variable $_SERVER array in case your sites been redirected -> REDIRECT_AUTHORIZATION – 9swampy May 08 '22 at 23:05
43

Add this code into your .htaccess

RewriteEngine On
RewriteRule .* - [e=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Pass your header like Authorization: {auth_code} and finally you get the Authorization code by using $_SERVER['HTTP_AUTHORIZATION']

Note: The above one is for apache, if you're using the nginx you don't need to update anything. you can get the value easily in nginx like:

if you are passing authorization key, you can get the key value by just putting the $_SERVER['HTTP_AUTHORIZATION']. just add HTTP_ as the prefix in $_SERVER for get anything like

postman_token => HTTP_POSTMAN_TOKEN
test_key => HTTP_TEST_KEY
Karthikeyan Ganesan
  • 1,901
  • 20
  • 23
21

Just use:

$headers = apache_request_headers();
$token = $headers['token'];
Houssin Boulla
  • 2,687
  • 1
  • 16
  • 22
12

For background, why Apache filters away the Authorization header: https://stackoverflow.com/a/17490827

Solutions depending on which Apache module is used to pass the request to the application:

mod_wsgi, mod_fcgid:

cgi:

Other hacks - massaging the headers in this question:

Community
  • 1
  • 1
joonas.fi
  • 7,478
  • 2
  • 29
  • 17
0
otra solución php, esta esta disponible para todos los servidores a cambio apache_request_headers() solo aplica para apache...... 
$headers = getallheaders();
$token = null;

if (isset($headers['Authorization'])) {
    $authorizationHeader = $headers['Authorization'];
    $matches = array();
    if (preg_match('/Bearer (.+)/', $authorizationHeader, $matches)) {
        if (isset($matches[1])) {
            $token = $matches[1];
        }
    }
}

if ($token) {
    // El token está presente en la cabecera de autorización
    echo json_encode("Token recibido: " . $token);
} else {
    // El token no está presente en la cabecera de autorización
    echo json_encode("Error: Token no presente en la cabecera de autorización");
}
Yilson alexis malambo madrigal
  • 1
  • 1
  • Please note that this is the English only version of stackoverflow. There are multiple other versions like .es, .pt etc. – ahuemmer Jul 03 '23 at 08:38