3

I've been working on this site that is supposed to use HTTP Basic Authentication with htpasswd. The authentication itself works like a charm but sometimes (not always) $_SERVER['PHP_AUTH_USER'] is empty.

I got the recommendation to use REMOTE_USER instead, which also only works from time to time. I'm using PHP as a CGI plugin for Apache, anything else is out of the question, unfortunately. The site is served SSL encrypted over HTTPS.

Why is this happening?

Christian Lundahl
  • 2,000
  • 3
  • 18
  • 29
  • Were you be able to investigate which usernames are empty? I'd suggest to use: `$user = (strlen($_SERVER['PHP_AUTH_USER']) > 0) ? $_SERVER['PHP_AUTH_USER'] : $_SERVER['REMOTE_USER'];` – Daniel W. Oct 21 '13 at 13:54
  • This would be a good idea if it weren't for the fact that most of the time both PHP_AUTH_USER and REMOTE_USER are empty. – Christian Lundahl Oct 21 '13 at 14:34

2 Answers2

3

I don't have an exact solution but several ideas that might help you.

$user = !empty($_SERVER['PHP_AUTH_USER'])
      ? $_SERVER['PHP_AUTH_USER']
      : $_SERVER['REMOTE_USER'];

...is a good start. Keep in mind that if you are not using Basic Realm Authentication, you have to play arround with Digest Realm Authentication $_SERVER['PHP_AUTH_DIGEST'].

You should first take care that your variables don't get overriden and checked at the right spot. It might also be possible that the username is empty if simply, someone didn't enter one.

If the authentication was not successfull, you should ensure to send the Connection: close header.

Now to debug the phenomen, you should write into a log file or send a mail to yourself containing the following text to further investigate:

// variables from http://php.net/manual/en/language.variables.superglobals.php
$log = var_export(array($_SERVER, $_REQUEST, $_COOKIES, $_SESSION), true);

I've also read that in combination with cgi there are other variables set containing the username, take a look into this question/answer: https://stackoverflow.com/a/7792912/1948292

Other variables that may contain user information (taken from the answer above):

$_SERVER['REDIRECT_HTTP_AUTHORIZATION']
$_SERVER['REDIRECT_REMOTE_USER']
Community
  • 1
  • 1
Daniel W.
  • 31,164
  • 13
  • 93
  • 151
  • 1
    I would suggest to use `!empty($_SERVER['PHP_AUTH_USER'])` instead of `(strlen($_SERVER['PHP_AUTH_USER']) > 0)`, because PHP_AUTH_USER can be missing and display a notice (or warning). – Asenar Oct 21 '13 at 14:57
  • To be honest, while trying out DanFromGermany's debugging tips I found out that PHP_AUTH_USER is actually set, but to ''. PHP_AUTH_PW was also set, but to NULL. I'm using this in my .htaccess: `AuthType Basic AuthName "site name" AuthUserFile /path/to/.htpasswd Require valid-user` I'm also using some rewriting to force the site to be served over HTTPS. I'm not sure if this could cause any trouble. – Christian Lundahl Oct 21 '13 at 15:24
0

If you have separate containers for HTML and CGI in httpd.conf then make sure these directives are set for the CGI container as well as the HTML one otherwise REMOTE_USER wont be populated in a CGI script.

ProfileToken On            
Require valid-user
jez001
  • 21
  • 5