Index‎ > ‎Docs‎ > ‎archive‎ > ‎LabsFolder‎ > ‎

FastCGI: PHP_AUTH_USER and PHP_AUTH_PW

Description by link:
When using Apache's Basic Auth together with php in FastCGI Mode, the credentials of the User do not get passed to the PHP Script. When I configure FastCGI to pass the Authentication Headers (-pass-header Authorization), these get passed to the script, but they are ignored by PHP. This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION" gets checked and not "Authorization" which seems to be the correct Header value (at least with apache2). All the apache Handler correctly use that header to set the Authentication Env-Vars. Could the cgi handler also check for that header?

Solution:
  • 1. create file .htaccess in the root of your PHP software with the following content: 
    <IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>
  • 2. change variables PHP_AUTH_USER and PHP_AUTH_PW to new variables
    $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] inside your PHP scripts.

  • 3. add before authentication code inside your PHP script the following lines: 
    if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))
{
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); 
    }
    Example: fix (patch) for PhpWiki (1.2.10) to work with FastCGI PHP mode with Apache 1.3: 
    # Author: Stepan A. Baranov (rosmir@gmail.com)
# web-site: www.rosmir.org

diff -u ./admin.php.orig ./admin.php
--- ./admin.php.orig
+++ ./admin.php
@@ -18,9 +18,16 @@
       exit;
    }

+// ADDED by rosmir@gmail.com
+if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))
+{
    + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); 
    +}
+// END ADDED by rosmir@gmail.com
+
    // From the manual, Chapter 16
-   if (($PHP_AUTH_USER != $wikiadmin  )  ||
-       ($PHP_AUTH_PW   != $adminpasswd)) {
+   if (($_SERVER['PHP_AUTH_USER'] != $wikiadmin  )  ||
+       ($_SERVER['PHP_AUTH_PW']   != $adminpasswd)) {
       Header("WWW-Authenticate: Basic realm=\"PhpWiki\"");
       Header("HTTP/1.0 401 Unauthorized");
       echo gettext("You entered an invalid login or password.");
    For more see link


©2009 Rosmir - Stepan A. Baranov
$Id: FastCGI.html 414 2009-01-06 21:49:58Z rosmir $