Blog

I recently had to create an administration interface for a webpage in PHP and decided to use the built in HTTP Authentification. That proved to be a little difficult, as the server was running PHP in CGI mode, where the HTTP Authenfication doesn’t work in the default configuration.

After a bit of frustrated search, I found a workaround that works brilliant. Note that you only need to do this if PHP on your server runs in CGI mode. First create a .htaccess file with the following contents (note: requires mod_rewrite):

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
</IfModule>

For more about how this works, look in the apache mod_rewrite manual.

Next create your PHP file with your basic HTTP Authentication. But make the following changes:

<?php
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = 
explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
 
if ($_SERVER['PHP_AUTH_USER'] == "") {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

The magic is in the two first lines, where the enviroment variable set by the .htaccess file is stored in the two variables $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

And you’re done!

As my webhost runs PHP in CGI mode, if have put up an example so you can see the script in action (just write whatever as credentials). You can also download the files in the example.