I've found questions like this:
Why are $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] not set?
Usually the question is why are PHP_AUTH_USER and PHP_AUTH_PW not set. And the explanation is usually:
As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].
...
PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.
Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.
The thing is that I have tried an example with external authentication, and the PHP_AUTH variables are actually set. I'm using PHP 7.4.3, so I suspect this explanation applies no more, because the first part has been removed from the current documentation. However you can still read the latter part:
Note: Configuration Note PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.
So I'm confused. It seems these variables are set regardless of AuthType directives, but I really would like to confirm that point.
Thanks.
EDIT: (solution)
Thanks to the answer by @symcbean, I realized that in order to have the PHP_AUTH variables not set, safe mode had to be on. And after a bit of research, that safe mode option is removed from PHP. That's why this part was removed from the docs, and so here is the answer:
PHP_AUTH variables will always be set, even in case of external authentication.
