web hosting reviews


HTTP Authentication with PHP running as CGI/SuExec

Web Hosting Articles \ A simple guide to .htaccess \ HTTP Authentication with PHP running as CGI/SuExec

Here it is a tricky one. PHP is a feature-rich programming language and they even have a simple HTTP Auhtentication included. The authentication is similar to the Apache one explained here

The bad news is that this type of Authorization does not work when your PHP is installed and working as CGI. It works perfectly when PHP is installed as a module though.

However, there is a workaround available which can make HTTP Auth for PHP working even when in CGI mode.

First you need to create the following .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

The lines above will assign the username/pass pairs to an environment variable named HTTP_AUTHORIZATION.

 

Then in your PHP script you should add the following, right before your user/pass check routine:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

So here it is how a sample PHP script using HTTP Authentication would look like:

<?php
// split the user/pass parts
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

// open a user/pass prompt
if (!isset($_SERVER['PHP_AUTH_USER'])) {
   header('WWW-Authenticate: Basic realm="My Realm"');
   header('HTTP/1.0 401 Unauthorized');
   echo 'Text to send if user hits Cancel button';
   exit;
 } else {
   echo "<p>Hello, </p>".$_SERVER['PHP_AUTH_USER'];
   echo "<p>You entered as your password: </p>".$_SERVER['PHP_AUTH_PW'];
 }
?>

  1. How to block users from accessing your site based on their IP address
  2. How to prevent or allow directory listing?
  3. How to change the error documents – 404 Page Not Found, etc
  4. Using .htaccess for password protecting your folders
  5. Using .htaccess to block referrer spam
  6. Disable Hot-Linking of images and other files
  7. Redirect URLs using .htaccess
  8. Introduction to mod_rewrite and some basic examples
  9. Force SSL/https using .htaccess and mod_rewrite
  10. 301 Permanent redirects for parked domain names
  11. Enable CGI, SSI with .htaccess
  12. How to add Mime-Types using .htaccess
  13. Change default directory page
  14. Block Bad robots, spiders, crawlers and harvesters
  15. Make PHP to work in your HTML files with .htacess
  16. Change PHP variables using .htaccess
  17. HTTP Authentication with PHP running as CGI/SuExec
  18. Force www vs non-www to avoid duplicate content on Google
  19. Duplicate content fix index.html vs / (slash only)

Comments 10 >>

laxen Said,
Aug 23, 2006 @ 08:57

This doesn't work for me.
To get it working for me I added this in .htaccess. (Change test.php to your script name)
[code]
RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteRule^test.php$ test.php?login=%{HTTP:Authorization}
[/code]
And then in your PHP script you should add the following, right before your user/pass check routine:
[code]
$d = base64_decode(substr($_GET['login'],6) );
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', $d);
[/code]
misha Said,
Nov 01, 2006 @ 17:36

I've been searching for a solution on this for sometime....and finally i got it !

I've tested the firt method and worked very fine for me.
I have a PHP as CGI and the HTTP Authentication is working.
Reid Said,
Nov 04, 2006 @ 16:56

Thanks, this helped me out!
Alexey Said,
May 25, 2007 @ 02:14

Thanks a million!
Hilary Said,
Aug 17, 2007 @ 06:32

Brilliant - thanks for this. Just one thing I had to change to get it working:

if ($_SERVER['PHP_AUTH_USER']=="")

instead of

if (!isset($_SERVER['PHP_AUTH_USER']))
Sparx Said,
Jan 13, 2008 @ 08:27

Hey guys, its looks like the first example works only on php4, and not on php5, please note that.
Overseer Said,
Mar 23, 2008 @ 05:30

This does not works with PHP5 as fastCGI :(
vince Said,
Mar 24, 2008 @ 03:28

@Overseer

I just ran a test on PHP5 Fcgi enabled server and it worked there without a problem.

It is possible that your PHP/FCGI configuration is a bit different, hence the problem.

@Sparx
It is working on PHP5 for me
Den Said,
Apr 15, 2008 @ 01:47

For works with PHP5:

[Rewrite rule on .htaccess]
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

[user:pass on PHP-script]
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));

It's perfectly works with apache2.2+php5.2.5+fastcgi2.4.6
Ispcomm Said,
Jun 11, 2008 @ 04:14

Very nice solution. Works, but depending on your apache version the variable you rewrite can be prepended with 'REDIRECT_'.

That is if you're using HTTP_AUTHORIZATION the real variable in _SERVER becomes REDIRECT_HTTP_AUTHORIZATION.

php4/php5 is OK.
Your comments on this article

(required)

(required but never displayed)



security code


Previous: Change PHP variables using .htaccess

Back to Web Hosting Articles list

Web hosting companies A-Z:
All web hosting companies

About - Terms of Use - Privacy Policy -
Web Hosting Reviews