2

What is the best way to get the HTTP-authenticated user-name to ensure full portability across different web servers (Apache, IIS, Nginx, etc.)?

My understanding is that $_SERVER['REMOTE_USER'] is the CGI standard, but is it safe to assume that all web servers support this?

There are at least two other variants: $_SERVER['PHP_AUTH_USER'] on Apache and $_SERVER['AUTH_USER'] on IIS. Why do these server-specific variants exist if $_SERVER['REMOTE_USER'] is the correct variable to use?

Related thread, which only covers IIS/Coldfusion, not */PHP: Difference between AUTH_USER and REMOTE_USER cgi variables

HappyDog
  • 1,230
  • 1
  • 18
  • 45

1 Answers1

1

The REMOTE_USER variable (corresponding to $_SERVER['REMOTE_USER'] in PHP) is the CGI 1.1 standard, but it's not safe to assume that all web servers will support it or even use it in the same way. In fact, it's only relevant when the authentication scheme is either Basic or Digest, whereas in IIS you could be using Integrated Windows auth or another kind of authentication (e.g. certificate based or Forms auth with ASP pages). Other web servers may have similar schemes of their own.

This section of the PHP Manual states:

$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here. That said, a large number of these variables are accounted for in the ยป CGI/1.1 specification, so you should be able to expect those.

Cahit
  • 2,484
  • 19
  • 23
  • With regards IIS, the docs say that AUTH_USER is the right variable to use, but that REMOTE_USER is always identical. Therefore this seems to be the most portable. https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx โ€“ HappyDog Jul 01 '17 at 10:31
  • I think you'll be OK, but keep in mind that the MSDN doc refers to what you should expect when running Classic ASP, ASP.NET and ISAPI code. You'll likely be using the FastCGI module, and getting user credentials passed to PHP will require setting `fastcgi.impersonate = 1` in the PHP config file (it's set to that by default). Likewise, when using FastCGI with Apache or nginx, you'll need to ensure the server variables you need are forwarded/mapped to PHP (e.g. via `fastcgi_param REMOTE_USER $remote_user;`). โ€“ Cahit Jul 03 '17 at 21:28
  • That sounds acceptable as it means that if the web server is not configured correctly then, by default, you will be not logged-in (as the variable is not exposed to PHP). Therefore it sounds like this is a fail-secure method. On that basis I will proceed using `REMOTE_USER` and ignore the other similar variables which are less portable. โ€“ HappyDog Jul 11 '17 at 15:17