1

I had this question posted here, maybe admins did not understand it correctly and marked it as duplicate, so I am posting it again, because I cannot access these variables as defined here. And so called duplicate question does not help me with my query. In my case when I call PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE they are empty, null. Can someone please help me understand why? My .htaccess file:

AuthType Basic

AuthName "You need to login to access this page."
AuthUserFile /usr/local/..../.htpasswd
Require valid-user

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

When I do var_dump($_SERVER); in my PHP code, I see that none of these variables are set, why is that? Is it impossible to access these variables if basic HTTP Authentication used with .htaccess and .htpasswd files alone?

K.I
  • 568
  • 1
  • 6
  • 19
  • Is `$_SERVER['HTTP_AUTHORIZATION']` or `$_SERVER['REWRITE_HTTP_AUTHORIZATION']` set? – Evert Jun 26 '18 at 08:29
  • @Evert Hi, thank you for looking at my problem. No these variables are net set either. – K.I Jun 26 '18 at 08:37
  • I think its because my server is set with CGI. I found some workarounds for this, but they don't work either... – K.I Jun 26 '18 at 10:21

1 Answers1

0

The answer is: PHP doesn't get AUTH-variables because Apache doesn't send them to PHP-interpreter. Why?

This part will work for PHP-CGI:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

Only if

Apache won't pass it to CGI apps unless you compile it with the SECURITY_HOLE_PASS_AUTHORIZATION flag. How can I use Basic HTTP Authentication in PHP?

You should disable basic auth in .htaccess file and use it in PHP. Manual: http://php.net/manual/en/features.http-auth.php

Mikhail Kulygin
  • 76
  • 6