Using PHP Superglobals


#1

Hi all,

I’ve sent a support ticket in about this but haven’t had a response as yet, so I thought I’d ask here too.

I’m using an htaccess controlled directory for one of my web apps, but I want to further enhance security by verifying the authenticate user again by checking the submitted credentials against my users table.

Functionally my script works, but I can’t seem to figure why the PHP_AUTH_USER and PHP_AUTH_PW super globals are not set.

Is there a way I can set this configuration myself (shared server btw) or do I need to look at alternative methods? (I want to keep my current auth method though, I don’t need to mess with sessions/cookies etc…)


#2

Shared hosting runs PHP as CGI/FastCGI and not as an Apache module.


#3

So I cannot re-authenticate users the way I had hoped to?

Is there any other way to verify user authenticity when using http basic auth?


#4

There’s a trick involving mod_rewrite:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

This will put the value of the Authorization header in the “HTTP_AUTHORIZATION” environment variable, which is passed to PHP.


#5

Thank Andrew, I’ll give that a go a bit later this afternoon - the webFTP doesn’t show .ht files.

Quick search, am I expecting something like “Authorization: Basic YXNkZjphc2Rm” to get returned?
If so do I just Base64_decode() the last chunk to get username & password?


#6

Update:

I’ve got it working perfectly now thank you Andrew! :slight_smile: