PHP_AUTH_USER not set?

Question

For some reason, none of the code within

if (isset($_SERVER['PHP_AUTH_USER']) &&
    isset($_SERVER['PHP_AUTH_PW']))
{

// When the above is set, the code that is here will execute of course

}

is being executed for me. When I enter the correct username and password, the prompt box for the authorization again pops up. Wouldn't both fields be 'set' if they are correct and I press enter? But for some reason that is not the case. What can I be doing wrong? Thank you.

score 82 · Answer 1 · answered Oct 17 '11 at 11:12

82

There is a 'sensible way' to use HTTP Basic Auth in CGI-mode PHP: in the .htaccess use

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

and in the PHP use

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = 
  explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

answered Oct 17 '11 at 11:12

ChrisV

8,748
3
48
38

12

For some reason, on my server I had to use $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] – ChrisV Oct 17 '11 at 11:40
This works but each page returns a 404 not found even though the page is displayed properly – jx12345 Jun 27 '13 at 15:58
Sorry, I'd picked up the following rewrite from another page: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] and the trailing L was causing my 404 errors – jx12345 Jun 27 '13 at 16:10
7

This worked for me with just the RewriteRule line in .htacess. I didn't have to make any changes to the PHP, and `$_SERVER['PHP_AUTH_USER']` and `$_SERVER['PHP_AUTH_PW']` are now set. – tremby Sep 10 '13 at 22:32
3

https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ServerBag.php#L47 – eightyfive May 16 '14 at 12:12
The above didn't work for me but it might be due to my server set-up. On my Ubuntu 14.04 and ServerPilot set-up, I used the following in my `.htccess` file `SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1`. I can then access it using `$_ENV['HTTP_AUTHORIZATION']` in PHP. – Ben Sinclair Jun 12 '14 at 03:18
4

Can anyone explain the RewriteRule in this reply? It worked for me, but I actually do not understand it. :-) – Jan Jan 05 '15 at 14:54
6

try first to check if the `$_SERVER['REDIRECT_HTTP_AUTHORIZATION']` is set and not empty then you can use `list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));`, because some servers same in my case has `REDIRECT_HTTP_AUTHORIZATION` index and not `HTTP_AUTHORIZATION` so better set a full condition for both offsets. – Jeffery ThaGintoki Dec 03 '16 at 17:28
@JefferyThaGintoki This one only worked for 1and1 shared hosting server. – TechCare99 Aug 10 '17 at 15:52
There is a better answer below :) the one from @thePanz – Okneloper Mar 09 '18 at 14:19

score 27 · Answer 2 · answered Jan 07 '14 at 22:27

27

try this

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

on your .htaccess file which you will have to place into the root directory

and then

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

in the begining of your php scripts

answered Jan 07 '14 at 22:27

a.boussema

1,096
11
19

1

@garyJ, It's the length of "basic " – Chris Cogdon Aug 22 '18 at 01:32
can you explain to me why this line is needed in .htaccess? It worked for me – Mateus Gonçalves Aug 31 '20 at 17:33

score 13 · Answer 3 · edited Aug 08 '20 at 08:42

13

I am using Symfony 2.5.7 running on PHP-PFM + Apache 2.4 on Ubuntu 14.04. I have BASIC_AUTH working, it needs to correctly configure the Apache VirtualHost by adding:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

as also mentioned here.

edited Aug 08 '20 at 08:42

Worthwelle

1,244
1
16
19

answered Dec 01 '14 at 13:47

thePanz

349
4
6

same here: PHP running in PHP-FPM mode, apache 2.4, centOS. I just had to add that line to my vhost config and it worked perfectly, with no changes on the PHP side – diogo.abdalla Feb 15 '18 at 23:06

score 11 · Answer 4 · answered Feb 14 '21 at 13:12

11

Starting from Apache 2.4.13, you simply need to use CGIPassAuth directive in your .htaccess:

CGIPassAuth On

answered Feb 14 '21 at 13:12

Clément Moulin - SimpleRezo

317
2
10

this is the correct solution in my opinion, the others are workarounds – santiago arizti Sep 02 '21 at 00:01
Best new feature, fixed me right up. – Billdr Nov 07 '21 at 18:29

score 3 · Answer 5 · edited Aug 27 '20 at 22:14

3

According to phpinfo(), my server API is CGI/Fast CGI, so I've solved the problem by putting the following in my .htaccess file:

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]

edited Aug 27 '20 at 22:14

pbarney

2,529
4
35
49

answered Nov 13 '13 at 12:18

Yerkezhan

481
5
9

score 2 · Answer 6 · answered Sep 11 '12 at 10:07

2

If user access is granted giving username/password in URL please check if

AuthType Digest

is entitled in your VHost/Directory/.htaccess configuration.

This fixed it for my use case.

answered Sep 11 '12 at 10:07

childno͡.de

4,679
4
31
57

score 2 · Answer 7 · answered Aug 16 '11 at 05:15

2

Try $_SERVER['REMOTE_USER']. This works for me on a PHP 5.3 CGI + Apache installation.

answered Aug 16 '11 at 05:15

MrAnonymous

717
3
7

Seems not to work under a Plesk installation with LAMP (sorry, I have no idea what version of Plesk this particular provider is using; Apache is the old 2.2 and PHP the even older 5.3.3). – Gwyneth Llewelyn Dec 11 '18 at 20:37

score -3 · Answer 8 · edited Oct 14 '12 at 02:48

-3

On my host's servers, use $_SERVER['REDIRECT_REMOTE_USER'] instead of $_SERVER['PHP_AUTH_USER']

edited Oct 14 '12 at 02:48

John Conde

217,595
99
455
496

answered Oct 14 '12 at 02:11

Zardiw

83
3

PHP_AUTH_USER not set?

8 Answers8

Linked

Related