How to pass authentication headers in PHP on a Fast-CGI enabled server
When using Fast-CGI to pass authentication headers, these headers are passed to the script however they are ignored by PHP. This is because only the “HTTP_AUTHORIZATION” environmental variable gets checked while the “Authorization” variable is ignored. The following steps can be used to overcome this problem:
Create a .htaccess file in the root directory of the script/application you are using:
RewriteEngine onRewriteRule .* - [E=HTTP_AUTHORIZATION:%
{HTTP:Authorization},L].
Next you need to change all the PHP_AUTH_USER and PHP_AUTH_PW variables in your web content to
$_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW']
.
Finally you will need to add the following lines of code preceding the authentication code used in your application / script:
:if(preg_match('/Basic+(.*)$/i',
$_SERVER['REDIRECT_HTTP_AUTHORIZATION'],
$matches))
{
list($_SERVER['PHP_AUTH_USER'],
$_SERVER['PHP_AUTH_PW']) = explode(':' ,
base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));}
As an example please see the patch for phpWiki below:
# Author: Stepan A. Baranov (rosmir@gmail.com)
# web-site: www.rosmir.orgdiff -u ./admin.php.orig ./admin.php--- ./admin.php.orig
+++ ./admin.php
@@ -18,9 +18,16 @@
}
// ADDED by rosmir@gmail.com
if(preg_match('/Basic+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches))
{
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' ,
base64_decode(substr($_SERVER['REDIRECT_HTTP_
AUTHORIZATION'], 6)));
}
// END ADDED by rosmir@gmail.com
if (($PHP_AUTH_USER != $wikiadmin ) ||
$PHP_AUTH_PW != $adminpasswd)) {
if (($_SERVER['PHP_AUTH_USER'] != $wikiadmin ) ||
$_SERVER['PHP_AUTH_PW'] != $adminpasswd)) {
("WWW-Authenticate: Basic realm="PhpWiki"");
Header("HTTP/1.0 401 Unauthorized");
gettext("You entered an invalid login or password.");
