is possible HTTP authentication with PHP?

The main HTTP authentication examples in the PHP documentation don't work on our servers because we use php-cgi to serve your PHP sites.

The common workarounds for that problem involve setting a HTTP_AUTHENTICATION environment variable via mod_rewrite, but that doesn't work on our servers because our php-cgi environment runs on Apache with suExec, which does not pass environment variables to CGI scripts.

So, the solution is the pass the HTTP:Authentication header to your PHP script via some other means.

Here is a solution that should work (adapted from HTTP AUTHENTICATION WITH PHP-CGI), by passing the authentication info as a URL parameter via mod_rewrite:

First, add the following to .htaccess in your app directory (assuming you want to do authentication on index.php) - note that this is not a redirect, so you don't need to worry about the authentication info showing up in your access logs:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP:Authorization} ^Basic.*
    RewriteRule (.*) index.php?Authorization=%{HTTP:Authorization} [QSA,L]
</IfModule>

Then, in index.php, get the authorization info from the Authorization parameter:

<?php
$authorized = false;

if (isset($_GET['Authorization'])) {
    // Check for the HTTP authentication string in $_GET['Authorization'], 
    // and put it in the $auth variable
    if (preg_match('/Basic\s+(.*)$/i', $_GET['Authorization'], $auth)) {
        // Split the string, base64 decode it, and place the values into 
        // the $authName and $authPassword variables
        list($authName, $authPassword) = explode(':', base64_decode($auth[1]));
        // Check the values of $authName and $authPass using your login routine
        // (in this example, we'll just assume that the login check was successful)
        //if (do_some_sort_of_login_check($authName, $authPassword)) {
            $authorized = true;
        //}
    }
}

if ($authorized) {
    // Success!  Display your content
    echo "success! hello, ".$authName;
} else {
    // Force the browser to prompt for a username and password
    header('WWW-Authenticate: Basic realm="name of your realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo "authorization failed";
}
?>

Note that in the above example, we're simply accepting the authentication credentials and displaying the username. In practice, you'll obviously want to verify the authentication credentials via whatever mechanism suits you.

Hope that helps!