Basic authentication in PHP

ttavoy

I'm aware of https://docs.opalstack.com/topic-guides/php/#password-protection-for-phpapache-applications

but I'm trying to do the same (or similar) thing within PHP with:

if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); echo 'Could not authenticate'; exit; }

The problem is that PHP_AUTH_USER seems to never get set. Should I be tweaking some setting in PHP to allow this to work?

(Reasons for wanting to do it this way:

not having to worry about .htaccess getting lost
finer grain control over what is authenticated)

sean

ttavoy our Apache suexec environment scrubs PHP_AUTH_USER and a lot of other environment variables prior to handing the request off to PHP.

To work around it, you'll need .htaccess (sorry!) to rewrite the request like so:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP:Authorization} ^Basic.*
    RewriteRule (.*) index.php?Authorization=%{HTTP:Authorization} [QSA,L]
</IfModule>

This appends the auth hash to the request with the parameter Authorization. Then, in index.php, get the authorization info from the Authorization parameter eg:

<?php
$authorized = false;

if (isset($_GET['Authorization'])) {
    // Check for the HTTP authentication string in $_GET['Authorization'], 
    // and put it in the $auth variable
    if (preg_match('/Basic\s+(.*)$/i', $_GET['Authorization'], $auth)) {
        // Split the string, base64 decode it, and place the values into 
        // the $authName and $authPassword variables
        list($authName, $authPassword) = explode(':', base64_decode($auth[1]));
        // Check the values of $authName and $authPass using your login routine
        // (in this example, we'll just assume that the login check was successful)
        //if (do_some_sort_of_login_check($authName, $authPassword)) {
            $authorized = true;
        //}
    }
}

if ($authorized) {
    // Success!  Display your content
    echo "success! hello, ".$authName;
} else {
    // Force the browser to prompt for a username and password
    header('WWW-Authenticate: Basic realm="name of your realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo "authorization failed";
}
?>

Hope this helps 🙂

ttavoy

sean Hope this helps

!!
Thank you for such an educational reply, and it made me wonder whether one way of solving the problem could be to change to Nginx.

So I gave it a try (made a new app of type "PHP-FPM with Nginx" instead of Apache and copied everything across) and it seems to work!

This is the first time I've tried Nginx so I expect I'll find some more problems ... in which case I'll be sure to come back here with more questions ... thanks!