PHP4 CGI and HTTP Authorization support - Debian

This is a discussion on PHP4 CGI and HTTP Authorization support - Debian ; Hi! I got php to work as cgi with suexec. Everything works nicely for me except for one thing: for HTTP Basic authorization (for example as enforced by .htaccess), the authorization data from the browser is not passed to the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: PHP4 CGI and HTTP Authorization support

  1. PHP4 CGI and HTTP Authorization support

    Hi!

    I got php to work as cgi with suexec. Everything works nicely for me
    except for one thing: for HTTP Basic authorization (for example as
    enforced by .htaccess), the authorization data from the browser is not
    passed to the PHP script.

    After some investigation done bycomparing phpinfo() output in different
    environments (mod_php / php-cgi x with auth / without auth) I came to
    the following main conclusion:

    The CGI PHP interpreter does not receive the "Authorization" header (as
    listed in the "HTTP Headers Information" section of phpinfo() output).
    The header itself is passed from the browser to the web server, because
    apache does allow access to the page.

    I suspect that the consequence of this is that the
    _SERVER["PHP_AUTH_USER"] and _SERVER["PHP_AUTH_PW"] PHP variables are
    not set.

    The question is: has anyone worked this around? Or do I need to dig in
    the apache and/or php code to make them pass the authorization
    information in some custom environment variable?

    regards,

    Marcin
    --
    Marcin Owsiany http://marcin.owsiany.pl/
    GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: PHP4 CGI and HTTP Authorization support

    On Thu, Sep 15, 2005 at 09:26:10PM +0200, Marcin Owsiany wrote:
    > The question is: has anyone worked this around? Or do I need to dig in
    > the apache and/or php code to make them pass the authorization
    > information in some custom environment variable?


    I forgot to mention that I need this to work with any script our users
    upload to their website. So the workarounds on
    http://php.net/features.http-auth which require modifying the scripts
    themselves to work, are not useful for me.

    regards,

    Marcin
    --
    Marcin Owsiany http://marcin.owsiany.pl/
    GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: PHP4 CGI and HTTP Authorization support

    On Thu, Sep 15, 2005 at 09:52:00PM +0200, Marcin Owsiany wrote:
    > On Thu, Sep 15, 2005 at 09:26:10PM +0200, Marcin Owsiany wrote:
    > > The question is: has anyone worked this around? Or do I need to dig in
    > > the apache and/or php code to make them pass the authorization
    > > information in some custom environment variable?

    >
    > I forgot to mention that I need this to work with any script our users
    > upload to their website. So the workarounds on
    > http://php.net/features.http-auth which require modifying the scripts
    > themselves to work, are not useful for me.


    This turned out to be easier than I thought. For the record:

    PHP CGI ISAPI already has some code to parse HTTP_AUTHORIZATION
    environment variable into what's needed if it's present. It's just that
    Apache doesn't pass it by default. To do this, just add:

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} .
    RewriteRule . - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},PT]

    Alternatively, one can rebuild apache with
    -DSECURITY_HOLE_PASS_AUTHORIZATION as explained in
    http://httpd.apache.org/dev/apidoc/a...ORIZATION.html

    regards,

    Marcin
    --
    Marcin Owsiany http://marcin.owsiany.pl/
    GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread