1

I have set up a basic authentication on one section of my website as documented here, it works fine, but now I need to be able to access the user name in order to filter certain results. But $_SERVER['PHP_AUTH_USER'] wont work. Is there any other way to see who is logged in?

My .htaccess file: 

AuthType Basic

AuthName "You need to login to access this page."
AuthUserFile /usr/local/..../.htpasswd
Require valid-user

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

It is marked as duplicate, but I don't see where is the answer to my problem? Can someone help please? Admin?

K.I
  • 568
  • 1
  • 6
  • 19
  • Ask the user for it, auth them against stored username and password from database, cache the result of the username in session. `$_SERVER` is designed for server related info (paths, uri etc.) whereas `$_SESSION` is designed for things related to the users current session (username, breadcrumbs, auth token maybe?). Just make sure to `session_start()` before that :P – Can O' Spam Jun 25 '18 at 08:58
  • Do a `var_dump($_SERVER);` and see if you can find the username somewhere in the output. Depending on how specifically PHP is embedded into the web server, you might find this info in slightly different fields. Also, read what http://php.net/manual/en/features.http-auth.php has to say about when HTTP Auth is triggered from “outside” PHP, on the web server level. – CBroe Jun 25 '18 at 09:11
  • What do you mean by "But `$_SERVER['PHP_AUTH_USER']` wont work"? Is the field blank? – Mr Glass Jun 25 '18 at 09:24
  • @CBroe did a var_dump, not one variable had my user name, does that mean my user name is not being stored with PHP? Is there a way to change that? – K.I Jun 25 '18 at 09:50
  • @MrGlass it returns null when called, in other words variable is not set. – K.I Jun 25 '18 at 09:51
  • @SamSwift웃 my user name and passwords are not stored in a database, please read the question including the link provided to see what technique was used to add authentication. – K.I Jun 25 '18 at 09:52
  • Did you read the document I linked to …? It explains that you don’t normally get access to this data, if HTTP Authentication is handled “outside” of PHP, on the web server level. The user comments have approaches how to use the RewriteEngine to pass that data along so that it becomes available in PHP. – CBroe Jun 25 '18 at 09:52
  • @CBroe if you mean adding the "SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1" to the .htaccess file, I have tried that, but no success... – K.I Jun 25 '18 at 10:38

3 Answers3

0

When a user logs in use the session variable to store the user name and then access it..

session_start();
$_SESSION['username'] = $username 

//$username is whatever you grabbed as the supplied login details
ronakruparel10
  • 120
  • 8
0

Say for instance, you have the following login function;

<?php
function doLogin($uname, $pword)
{
    global $connection;
    $query = "SELECT psswd FROM users WHERE (uname = '{$uname}' OR email = '{$uname}')";
    $result = $connection->query($query);
    $row = $connection->fetch_assoc($result);
    $password = $row['psswd'];

    if (password_verify($pword, $password))
    {
        session_start();
        $_SESSION['user_logged_in'] = true;
        $_SESSION['username'] = $uname;
        return true;
    }
    return false;
}

Using verification, we can see that the password was found from the database, it was verified using php's functions for this, and we set variables on the session (after starting it & a valid login) to say as such, as well as store the username for future use

Can O' Spam
  • 2,718
  • 4
  • 19
  • 45
0

In your .htaccess you are populating $_SERVER['HTTP_AUTHORIZATION'] - have you tried with that ?

IVO GELOV
  • 13,496
  • 1
  • 17
  • 26