4

I Cannot get the basic HTTP Authentication to work in PHP which is installed and working as FCGI. It works perfectly when PHP is installed as a module though.

Is there any way I can get it to work ???

I am running PHP Version 5.2.6 in ubuntu.

<?Php 
if ( !$_SERVER['PHP_AUTH_USER'] ) {
    $this->getResponse()->setHeader('WWW-Authenticate',  'Basic realm="Testing"');
    $this->getResponse()->setBody('Unauthorized');
    $this->getResponse()->setHttpResponseCode(401);
} else { 
    var_dump($_SERVER['PHP_AUTH_USER']);
    var_dump($_SERVER['PHP_AUTH_PW']);
}

I did try 

[Rewrite rule on .htaccess]
 RewriteEngine on
 RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

[user:pass on PHP-script]
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':',     base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));

but it doesnt seem to be working.

ro ko
  • 2,906
  • 3
  • 37
  • 58
  • FWIW, I have researched the same thing recently and it seems that it just doesn't work. I'd love it if someone could come back with a solution here though. – deceze Oct 25 '11 at 04:39
  • Your first code fragment looks like part of a method - but there's no class? – symcbean Oct 25 '11 at 08:39

3 Answers3

10

Delete your .htaccess and write a new one with this line:

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

and your PHP will work fine.

Peter Kalef ' DidiSoft
  • 1,454
  • 17
  • 21
  • I just added it as the first line in my `.htaccess` and it worked too. – Martijn Jul 27 '16 at 11:04
  • Using your snippet, I get the basic auth header. But not the authenticated user as `PHP_AUTH_USER` would. – Daniel Jun 19 '19 at 07:19
  • 2
    In case of my QNAP NAS I also needed to add the php code from https://stackoverflow.com/a/53196779. So the variable $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] was set in my case which must be parsed on your own as it seems - using php 7.3.7 fcgi – John Doe Dec 27 '19 at 19:58
1

You need to pass $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] to PHP FCGI manually. The CGI protocol simply does not support those variables.

If you still want to use those, I found something interesting (and confirming what I just said) on http://be2.php.net/manual/en/features.http-auth.php#108132

maartenh
  • 188
  • 11
0

Thanks to the comment from @john-doe this one worked for me:

in .htaccess (IfModule mod_rewrite.c)

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

RewriteEngine on

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

in PHP

if (preg_match ( '/Basic+(.*)$/i', $_SERVER ['REDIRECT_HTTP_AUTHORIZATION'], $matches )) {
        list ( $_SERVER ['PHP_AUTH_USER'], $_SERVER ['PHP_AUTH_PW'] ) = explode ( ':', base64_decode ( substr ( $_SERVER ['REDIRECT_HTTP_AUTHORIZATION'], 6 ) ) );
    }

    if (! isset ( $_SERVER ['PHP_AUTH_USER'] ) || empty ( $_SERVER ['PHP_AUTH_USER'] )) {
        header ( 'WWW-Authenticate: Basic realm="WFS"' );
        header ( 'HTTP/1.0 401 Unauthorized' );
        echo 'My protected realm!';
        exit ();
    }
    else {
        

        $error = $loginModel->login ( $_SERVER ['PHP_AUTH_USER'], $_SERVER ['PHP_AUTH_PW'] );
        if ($error == 0 && Authentication::checkModulRights ( __CLASS__ ) == true) {
            // user is valid
        }
        else {
            header ( 'WWW-Authenticate: Basic realm="My realm"' );
            header ( 'HTTP/1.0 401 Unauthorized' );
            exit ();
        }
    }
Max
  • 160
  • 1
  • 11