WebFaction
Community site: login faq

Hello

is possible HTTP authentication with PHP on Static/CGI/PHP application?

this does not work for me http://www.php.net/manual/en/features.http-auth.php

Regards

asked 28 Jan '12, 11:20

makeen's gravatar image

makeen
11112
accept rate: 0%


The main HTTP authentication examples in the PHP documentation don't work on our servers because we use php-cgi to serve your PHP sites.

The common workarounds for that problem involve setting a HTTP_AUTHENTICATION environment variable via mod_rewrite, but that doesn't work on our servers because our php-cgi environment runs on Apache with suExec, which does not pass environment variables to CGI scripts.

So, the solution is the pass the HTTP:Authentication header to your PHP script via some other means.

Here is a solution that should work (adapted from HTTP AUTHENTICATION WITH PHP-CGI), by passing the authentication info as a URL parameter via mod_rewrite:

First, add the following to .htaccess in your app directory (assuming you want to do authentication on index.php) - note that this is not a redirect, so you don't need to worry about the authentication info showing up in your access logs:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP:Authorization} ^Basic.*
    RewriteRule (.*) index.php?Authorization=%{HTTP:Authorization} [QSA,L]
</IfModule>

Then, in index.php, get the authorization info from the Authorization parameter:

<?php
$authorized = false;

if (isset($_GET['Authorization'])) {
    // Check for the HTTP authentication string in $_GET['Authorization'], 
    // and put it in the $auth variable
    if (preg_match('/Basic\s+(.*)$/i', $_GET['Authorization'], $auth)) {
        // Split the string, base64 decode it, and place the values into 
        // the $authName and $authPassword variables
        list($authName, $authPassword) = explode(':', base64_decode($auth[1]));
        // Check the values of $authName and $authPass using your login routine
        // (in this example, we'll just assume that the login check was successful)
        //if (do_some_sort_of_login_check($authName, $authPassword)) {
            $authorized = true;
        //}
    }
}

if ($authorized) {
    // Success!  Display your content
    echo "success! hello, ".$authName;
} else {
    // Force the browser to prompt for a username and password
    header('WWW-Authenticate: Basic realm="name of your realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo "authorization failed";
}
?>

Note that in the above example, we're simply accepting the authentication credentials and displaying the username. In practice, you'll obviously want to verify the authentication credentials via whatever mechanism suits you.

Hope that helps!

permanent link
This answer is marked "community wiki".

answered 28 Jan '12, 18:13

seanf's gravatar image

seanf ♦♦
11.1k21131
accept rate: 37%

edited 28 Jan '12, 18:27

Thanks, this worked perfectly for me!

(21 Feb '12, 04:37) Fredrik Fredrik's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×246
×27
×25

question asked: 28 Jan '12, 11:20

question was seen: 10,496 times

last updated: 21 Feb '12, 04:37

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2017 PARAGON INTERNET GROUP LIMITED - WEBFACTION IS A SERVICE OF PARAGON INTERNET GROUP LIMITED
REGISTERED IN ENGLAND AND WALES 7573953 - VAT REGISTRATION NUMBER 182147021
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM