FastCGI: PHP_AUTH_USER and PHP_AUTH_PW

Description by link:

When using Apache's Basic Auth together with php in FastCGI Mode, the credentials of the User do not get passed to the PHP Script. When I configure FastCGI to pass the Authentication Headers (-pass-header Authorization), these get passed to the script, but they are ignored by PHP. This is because in cgi_main.c only the Env-Var "HTTP_AUTHORIZATION" gets checked and not "Authorization" which seems to be the correct Header value (at least with apache2). All the apache Handler correctly use that header to set the Authentication Env-Vars. Could the cgi handler also check for that header?

Solution:

    • 1. create file .htaccess in the root of your PHP software with the following content:

        • <IfModule mod_rewrite.c> RewriteEngine on RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] </IfModule>

    • 2. change variables PHP_AUTH_USER and PHP_AUTH_PW to new variables

    • $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] inside your PHP scripts.

    • 3. add before authentication code inside your PHP script the following lines:

        • if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {

      • list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));

        • }

    • Example: fix (patch) for PhpWiki (1.2.10) to work with FastCGI PHP mode with Apache 1.3:

        • # Author: Stepan A. Baranov (rosmir@gmail.com) # web-site: www.rosmir.org diff -u ./admin.php.orig ./admin.php --- ./admin.php.orig +++ ./admin.php @@ -18,9 +18,16 @@ exit; } +// ADDED by rosmir@gmail.com +if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) +{

      • + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));

        • +} +// END ADDED by rosmir@gmail.com + // From the manual, Chapter 16 - if (($PHP_AUTH_USER != $wikiadmin ) || - ($PHP_AUTH_PW != $adminpasswd)) { + if (($_SERVER['PHP_AUTH_USER'] != $wikiadmin ) || + ($_SERVER['PHP_AUTH_PW'] != $adminpasswd)) { Header("WWW-Authenticate: Basic realm=\"PhpWiki\""); Header("HTTP/1.0 401 Unauthorized"); echo gettext("You entered an invalid login or password.");

©2009 Rosmir - Stepan A. Baranov

$Id: FastCGI.html 414 2009-01-06 21:49:58Z rosmir $