Index‎ > ‎Docs‎ > ‎archive‎ > ‎LabsFolder‎ > ‎

FastCGI: PHP_AUTH_USER and PHP_AUTH_PW

Description by link:
When using Apache's Basic Auth together with php in FastCGI Mode, the credentials of the User do not get passed to the PHP Script. When I configure FastCGI to pass the Authentication Headers (-pass-header Authorization), these get passed to the script, but they are ignored by PHP. This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION" gets checked and not "Authorization" which seems to be the correct Header value (at least with apache2). All the apache Handler correctly use that header to set the Authentication Env-Vars. Could the cgi handler also check for that header?

Solution:
  • 1. create file .htaccess in the root of your PHP software with the following content:
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
    </IfModule>
    
  • 2. change variables PHP_AUTH_USER and PHP_AUTH_PW to new variables
    $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] inside your PHP scripts.

  • 3. add before authentication code inside your PHP script the following lines:
    if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))
    {
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
    }
    
    Example: fix (patch) for PhpWiki (1.2.10) to work with FastCGI PHP mode with Apache 1.3:
    # Author: Stepan A. Baranov (rosmir@gmail.com)
    # web-site: www.rosmir.org
    
    diff -u ./admin.php.orig ./admin.php
    --- ./admin.php.orig
    +++ ./admin.php
    @@ -18,9 +18,16 @@
           exit;
        }
    
    +// ADDED by rosmir@gmail.com
    +if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))
    +{
    + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
    +}
    +// END ADDED by rosmir@gmail.com
    +
        // From the manual, Chapter 16
    -   if (($PHP_AUTH_USER != $wikiadmin  )  ||
    -       ($PHP_AUTH_PW   != $adminpasswd)) {
    +   if (($_SERVER['PHP_AUTH_USER'] != $wikiadmin  )  ||
    +       ($_SERVER['PHP_AUTH_PW']   != $adminpasswd)) {
           Header("WWW-Authenticate: Basic realm=\"PhpWiki\"");
           Header("HTTP/1.0 401 Unauthorized");
           echo gettext("You entered an invalid login or password.");
    
    For more see link


©2009 Rosmir - Stepan A. Baranov
$Id: FastCGI.html 414 2009-01-06 21:49:58Z rosmir $