$_SERVER['HTTP_AUTHORIZATION'] is not set in PHP post call

Question

I am trying to access headers (field authorization) from a POST method, but it's never set.

according to

foreach (getallheaders() as $name => $value) {
    echo "$name: $value\n";
}

the field "Authorization" is present (sent with postman)

however this evaluates to false

$authHeader = $_SERVER['HTTP_AUTHORIZATION'];

if (isset($authHeader))
{
    echo "header field present";
}
else
{
    echo "header field NOT present";
}

I am running Apache/PHP/MySql locally on Windows 10 PHP Version is 7.3.7 Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7

In Postman, I am passing "Content-Type=application/json" and "Authorization=Bearer..."

What's wrong here?

score 2 · Accepted Answer · answered Apr 09 '20 at 06:30

2

You are actually doing it wrong.

If you are passing in "Authorization=Bearer..." than you should read it like:

$headers = getallheaders();

print_r($headers["Authorization"]);

answered Apr 09 '20 at 06:30

JureW

641
1
6
15

Thanks. This actually works. "funfact" that I read nowhere about this variant of doing it. It $Server deprecated or something? – Apr 09 '20 at 06:42
Noup (not that I know), but this is a custom header you are passing in. – JureW Apr 09 '20 at 06:44
What exactly is OP doing "wrong"? One would expect `$_SERVER['HTTP_AUTHORIZATION']` to be available, it's somewhat surprising behaviour that it isn't. – deceze Apr 09 '20 at 08:46
@Roger Note that this solution is very specific to running on Apache, `getallheaders` being an alias for `apache_request_headers`. Just to avoid nasty surprises later on, you'd want to write your code in a way that's not specific to one particular web server. In this case, configuring the web server to pass the `Authorization` header through is the more neutral solution. See the duplicates at the top of your question. – deceze Apr 09 '20 at 08:50
to provide you with some background info: i've seen this code in a tutorial -> https://www.techiediaries.com/php-jwt-authentication-tutorial/ and also found it in many resources throughout the web. I am using XAMPP. I wan't to use these services from an angular client. – Apr 10 '20 at 11:01

$_SERVER['HTTP_AUTHORIZATION'] is not set in PHP post call

1 Answers1