How to pass authentication headers in PHP on a Fast-CGI enabled server

When using Fast-CGI to pass authentication headers, these headers are passed to the script however they are ignored by PHP. This is because only the “HTTP_AUTHORIZATION” environmental variable gets checked while the “Authorization” variable is ignored. The following steps can be used to overcome this problem:
Create a .htaccess file in the root directory of the script/application you are using:

RewriteEngine onRewriteRule .* - [E=HTTP_AUTHORIZATION:%

Next you need to change all the PHP_AUTH_USER and PHP_AUTH_PW variables in your web content to



Finally you will need to add the following lines of code preceding the authentication code used in your application / script:

$_SERVER['PHP_AUTH_PW']) = explode(':' ,
base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));}

As an example please see the patch for phpWiki below:

# Author: Stepan A. Baranov (
# web-site:
diff -u ./admin.php.orig ./admin.php

--- ./admin.php.orig

+++ ./admin.php

@@ -18,9 +18,16 @@exit;


// ADDED by

if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))


list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' ,
], 6)));


// END ADDED by From the manual, Chapter 16

if (($PHP_AUTH_USER != $wikiadmin ) ||(

$PHP_AUTH_PW != $adminpasswd)) {

if (($_SERVER['PHP_AUTH_USER'] != $wikiadmin ) ||(

$_SERVER['PHP_AUTH_PW'] != $adminpasswd)) {Header

("WWW-Authenticate: Basic realm="PhpWiki"");

Header("HTTP/1.0 401 Unauthorized");echo

gettext("You entered an invalid login or password.");