Why are $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] not set?

Question

Before I begin, I'd like to point out that I've browsed Stack Overflow and found other similar questions - PHP_AUTH_USER not set? and HTTP Auth via PHP - PHP_AUTH_USER not set? - and these have pointed out that the authentication $_SERVER variables won't be set if ''Server API'' is set to ''CGI/FCGI'', but I checked my ''phpinfo()'' output and my ''Server API'' is set to ''Apache 2.0 Handler''.

Ok so I have a simple script as follows:

<?php
    echo "Username: " . $_SERVER["PHP_AUTH_USER"] . ", Password: " . $_SERVER["PHP_AUTH_PW"];
?>

... which I am calling remotely via the following:

wget -v --http-user=johnsmith --http-password=mypassword http://www.example.com/myscript.php

... but which only outputs:

Username: , Password:

I have also tried calling the script using PHP cURL and setting the authentication parameters appropriately as follows:

 curl_setopt($ch, CURLOPT_USERPWD, "johnsmith:mypassword");

... but I get the same output as above.

Any idea what I'm doing wrong? Perhaps there is something else I need to enable / configure?

Are you sending the correct response code? – Ignacio Vazquez-Abrams Feb 06 '13 at 07:59 — Ignacio Vazquez-Abrams, Feb 06 '13 at 07:59
Thanks Iganacio, could you please elaborate what you mean? – Kosta Kontos Feb 07 '13 at 11:28 — Kosta Kontos, Feb 07 '13 at 11:28

Teddy · Answer 1 · 2014-03-21T12:44:38.887

16

For PHP-CGI:

in .htaccess add this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

and at the beginning of your script add this:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

edited Mar 21 '14 at 12:44

answered Mar 21 '14 at 08:52

Teddy

993
10
20

score 7 · Accepted Answer · answered Feb 11 '13 at 10:06

I've finally discovered the answer thanks to the of help of Naktibalda in ##php on irc.freenode.net

The following page summarises the issue: http://php.net/manual/en/features.http-auth.php

To quote the relevant bits:

As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

...

PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.

Matt · Answer 3 · 2018-11-07T19:56:00.267

Tried the previous suggestions, did not work, also discovered

CGIPassAuth On

is a more up to date version of the suggested htaccess addition, but that still did not work for me, instead I used

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

(must be in your root htaccess file) then in the php file

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));

If anyone still has trouble I suggest they check the server vars, as the data may be in a different var, your looking for something that start with basic

score -1 · Answer 4 · answered Aug 04 '22 at 08:10

-1

I know this is old, but in case someone stumbles accross this and can't get any of the solutions to work…

I had to pass the Header-Information to a redirected script. None of the above was working.

So I did the following:

in htaccess:

RewriteRule ^my_script/my_action$ /redirect_url/?auth=%{HTTP:Authorization} [R=301,QSA,L]

And then in the PHP-Script:

if (isset($_GET['auth']) && trim($_GET['auth']) != '') {
   list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_GET['auth'], 6)));
}

That way the base64 encoded basic authorization is added to the GET-Request-Vars and can be parsed in the receiving PHP-Script.

Not very elegant, probably a security risk, but it works in my scenario.

answered Aug 04 '22 at 08:10

Swissdude

3,486
3
35
68

"*Probably* a security risk"? You're kidding? – Your Common Sense Aug 04 '22 at 08:13
Moreover, it just makes no sense. You just had to configure the server where redirect_url points to – Your Common Sense Aug 04 '22 at 08:17
I can't configure the server that way. It's an app that I can't change that accesses an URL on my server that doesn't exist anymore. So I had to use redirect. And - as I said, none of the suggestions above have been working. If you have a better solution, I'm all ears! – Swissdude Aug 04 '22 at 17:50

score -7 · Answer 5 · edited Mar 26 '14 at 11:07

-7

this should be like this

echo "Username: " . $_SERVER[PHP_AUTH_USER] . ", Password: " . $_SERVER[PHP_AUTH_PW];

edited Mar 26 '14 at 11:07

Nico O

13,762
9
54
69

answered Mar 26 '14 at 10:49

jyoti singh

1

7

you are wrong. http://www.php.net/manual/en/reserved.variables.server.php you have to use strings for an index so it have to be: `$_SERVER['PHP_AUTH_USER']` etc. – Nico O Mar 26 '14 at 11:13

Why are $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] not set?

5 Answers5

Linked