Basic HTTP Authentication & PHP-FastCGI

mike mike503 at
Wed Jul 23 22:09:08 MSD 2008

On 7/23/08, Igor Sysoev <is at> wrote:

> There is $remote_user variable, but there is no $remote_password.

Okay, then you should be able to add in your fastcgi params

fastcgi_param REMOTE_USER $remote_user;

and it should pass it to PHP, only if the user is properly
authenticated right? $remote_user is only populated if the
authentication is passed, I assume.

I don't think people typically need the password. They either need to
choose to let the webserver handle auth, or the PHP/scripting language
to handle it.

re: Igor Clark - no, it won't be doing the auth twice. This is
assuming nginx is doing all the auth stuff, you're simply passing the
user to the script so you can grab the username.

If you need more flexibility and password info, I'd suggest going a
pure PHP route then.

(Also I assume that if $remote_user is not set - because it's not
under an authed directory, or it's an invalid password/etc, that it
will not show an error, but just pass an empty REMOTE_USER string - so
your PHP app would want to understand a non-existent
$_SERVER['REMOTE_USER'] or an empty one means invalid auth)

More information about the nginx mailing list